PR #516 enabled certificate revocation checking on WinHTTP by calling WinHttpSetOption with WINHTTP_OPTION_ENABLE_FEATURE and WINHTTP_ENABLE_SSL_REVOCATION.
However, if a client wants to opt out from this behavior, the callback invoked by invoke_nativehandle_options and set with set_nativehandle_options cannot be used. This is because subsequent calls to WINHTTP_OPTION_ENABLE_FEATURE are additive, so even setting the input flags to 0 does not reset the previously enabled 'enable SSL revocation' option.
Furthermore, revocation checks are performed even when set_validate_certificates(false) has been called.
Instead, http_client_config should provide an explicit way to opt out of revocation checks. If the appropriate flag is set, it should never call WinHttpSetOption with WINHTTP_ENABLE_SSL_REVOCATION.
PR #516 enabled certificate revocation checking on WinHTTP by calling
WinHttpSetOptionwithWINHTTP_OPTION_ENABLE_FEATUREandWINHTTP_ENABLE_SSL_REVOCATION.However, if a client wants to opt out from this behavior, the callback invoked by
invoke_nativehandle_optionsand set withset_nativehandle_optionscannot be used. This is because subsequent calls toWINHTTP_OPTION_ENABLE_FEATUREare additive, so even setting the input flags to0does not reset the previously enabled 'enable SSL revocation' option.Furthermore, revocation checks are performed even when
set_validate_certificates(false)has been called.Instead,
http_client_configshould provide an explicit way to opt out of revocation checks. If the appropriate flag is set, it should never callWinHttpSetOptionwithWINHTTP_ENABLE_SSL_REVOCATION.