Enable certificate revocation checking by default in wxWebRequestWinHTTP?
10 views
Skip to first unread message
Vadim Zeitlin
Jun 23, 2025, 1:06:52 PM6/23/25
to wx-dev
Hello,
I wonder if we should set WinHTTP WINHTTP_OPTION_ENABLE_FEATURE option to
the value of WINHTTP_ENABLE_SSL_REVOCATION in wxWebRequestWinHTTP code to
enable CRL checking by default? libcurl does do this by default under
Windows, so this would make the behaviour of both backends under Windows
more consistent.
I also _think_ that it's possible to enable CRL checking system-wide by
using a group policy under Windows, so this would make the application
behaviour more predictable, as it wouldn't depend on whether this policy is
enabled or not (OTOH I'm not really sure about this because even though
there are many mentions of this on the Internet, enabling this policy
didn't change the behaviour on my own system at all).
If we do this, we would also need to add some Ignore_RevokationCheckError
flag (any suggestions for a better name?) that could be passed to
MakeInsecure() to still allow connecting even if the CRL check fails.
Does anybody have more experience with this stuff? Doing what I suggest
would definitely make sense for my own particular application, but I'm not
sure if this is true more generally, so please let me know if you have any
thoughts on this subject.
Thanks,
VZ
I wonder if we should set WinHTTP WINHTTP_OPTION_ENABLE_FEATURE option to
the value of WINHTTP_ENABLE_SSL_REVOCATION in wxWebRequestWinHTTP code to
enable CRL checking by default? libcurl does do this by default under
Windows, so this would make the behaviour of both backends under Windows
more consistent.
I also _think_ that it's possible to enable CRL checking system-wide by
using a group policy under Windows, so this would make the application
behaviour more predictable, as it wouldn't depend on whether this policy is
enabled or not (OTOH I'm not really sure about this because even though
there are many mentions of this on the Internet, enabling this policy
didn't change the behaviour on my own system at all).
If we do this, we would also need to add some Ignore_RevokationCheckError
flag (any suggestions for a better name?) that could be passed to
MakeInsecure() to still allow connecting even if the CRL check fails.
Does anybody have more experience with this stuff? Doing what I suggest
would definitely make sense for my own particular application, but I'm not
sure if this is true more generally, so please let me know if you have any
thoughts on this subject.
Thanks,
VZ
Reply all
Reply to author
Forward
0 new messages