Add support to ignore invalid cert common name (#4361)

sdk/core/azure-core/CHANGELOG.md

@@ -4,6 +4,9 @@
 
 ### Features Added
 
+- Added the ability to ignore invalid certificate common name for TLS connections in WinHTTP transport.
+- Added `DisableTlsCertificateValidation` in `TransportOptions`.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp

@@ -173,6 +173,19 @@ namespace Azure { namespace Core { namespace Http { namespace Policies {
      */
     bool EnableCertificateRevocationListCheck{false};
 
+    /**
+     * @brief Disable SSL/TLS certificate verification. This option allows transport layer to
+     * perform insecure SSL/TLS connections and skip SSL/TLS certificate checks while still having
+     * SSL/TLS-encrypted communications.
+     *
+     * @remark Disabling TLS security is generally a bad idea because it allows malicious actors to
+     * spoof the target server and should never be enabled in production code.
+     *
+     * @remark This field is only used if the customer has not specified a default transport
+     * adapter. If the customer has set a Transport adapter, this option is ignored.
+     */
+    bool DisableTlsCertificateValidation{false};
+
     /**
      * @brief Base64 encoded DER representation of an X.509 certificate expected in the certificate
      * chain used in TLS connections.

sdk/core/azure-core/inc/azure/core/http/win_http_transport.hpp

@@ -70,6 +70,11 @@ namespace Azure { namespace Core {
        */
       bool IgnoreUnknownCertificateAuthority{false};
 
+      /**
+       * @brief When `true`, allows an invalid common name in a certificate.
+       */
+      bool IgnoreInvalidCertificateCommonName{false};
+
       /**
        * Proxy information.
        */

sdk/core/azure-core/src/http/curl/curl.cpp

@@ -311,6 +311,7 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions
     curlOptions.SslOptions.PemEncodedExpectedRootCertificates
         = PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE");
   }
+  curlOptions.SslVerifyPeer = !transportOptions.DisableTlsCertificateValidation;
   return curlOptions;
 }
 

sdk/core/azure-core/src/http/transport_policy.cpp

@@ -28,11 +28,11 @@ namespace Azure { namespace Core { namespace Http { namespace Policies { namespa
      */
     bool AreAnyTransportOptionsSpecified(TransportOptions const& transportOptions)
     {
-      return (
-          transportOptions.HttpProxy.HasValue() || transportOptions.ProxyPassword.HasValue()
-          || transportOptions.ProxyUserName.HasValue()
-          || transportOptions.EnableCertificateRevocationListCheck
-          || !transportOptions.ExpectedTlsRootCertificate.empty());
+      return (transportOptions.HttpProxy.HasValue() || transportOptions.ProxyPassword.HasValue()
+              || transportOptions.ProxyUserName.HasValue()
+              || transportOptions.EnableCertificateRevocationListCheck
+              || !transportOptions.ExpectedTlsRootCertificate.empty())
+          || transportOptions.DisableTlsCertificateValidation;
     }
   } // namespace
 

sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp

@@ -765,6 +765,12 @@ WinHttpTransportOptions WinHttpTransportOptionsFromTransportOptions(
     httpOptions.IgnoreUnknownCertificateAuthority = true;
   }
 
+  if (transportOptions.DisableTlsCertificateValidation)
+  {
+    httpOptions.IgnoreUnknownCertificateAuthority = true;
+    httpOptions.IgnoreInvalidCertificateCommonName = true;
+  }
+
   return httpOptions;
 }
 } // namespace
@@ -918,6 +924,16 @@ _detail::WinHttpRequest::WinHttpRequest(
     }
   }
 
+  if (options.IgnoreInvalidCertificateCommonName)
+  {
+    auto option = SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
+    if (!WinHttpSetOption(
+            m_requestHandle.get(), WINHTTP_OPTION_SECURITY_FLAGS, &option, sizeof(option)))
+    {
+      GetErrorAndThrow("Error while setting ignore invalid certificate common name.");
+    }
+  }
+
   if (options.EnableCertificateRevocationListCheck)
   {
     DWORD value = WINHTTP_ENABLE_SSL_REVOCATION;