TLS1.2 through WinHttpSetOption on winhttp_client

[zoenie123]

I need to activate TLS1.2 in Casablanca on Windows. The only way I have found to do this is actually recompile the cpprest120_2_7.dll with the following lines in the open() function of winhttp_client:

// Open session and connection with the server.
unsigned long open()
{
    ..........

    DWORD protocols = WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
    if(!WinHttpSetOption(m_hSession, WINHTTP_OPTION_SECURE_PROTOCOLS, &protocols, sizeof(protocols)))
    {
        return report_failure(_XPLATSTR("Error setting protocols"));
    }

    ........

}

This works, so far so good, but it needs recompilation of cpprest120_2_7.dll and this is surely not right way to go when it concerns future updates of the SDK.

I have also tried to use the set_nativehandle_options to do these settings so I don't have to recompile the cpprest120_2_7.dll, but unfortunately this native handle concerns only the request handle (in the send_request function) and not the session handle.

Is there any way to enable TLS1.2 without recompilation of cpprest120_2_7.dll? And if not, can also a callback function like set_nativehandle_options in the open function be implemented in the standard release of the SDK that exposes the session handle and I can use WinHttpSetOption in my own software on this session handle?

[megaposer]

I tried to weasel my way into this by setting an WINHTTP_STATUS_CALLBACK and then realized it will be invoked with the request handle even if initially registered with the session handle - which of course makes perfect sense in retrospect.

Adding something like set_nativehandle_session_options is appealing at first glance to allow arbitrary (session) options to be set in the future as long as the library does not support these. On the other hand, the different (native) callbacks would mess up the API (IMHO) and make it more difficult/confusing for new users of the library to use.

There is already a platform specific callback for the ASIO based client (set_ssl_context_callback) and this would add yet another callback for the WINHTTP based client (only?).

Still I'd personally welcome such an extension ...

Also, the functionality would be important enough (for me) to warrant an appropriate config option within http_client_config where one could set the wanted/unwanted protocols, then let the WINHTTP or ASIO implementations take care of it accordingly.

[zoenie123]

Only 1 overloaded callback with an extra parameter to show where the handle is coming from will be sufficient:

enum class callback_origin {
  open_session
 ,send_request
};

void invoke_nativehandle_options(native_handle handle) const
{
  ...... //here the new overloaded function could be called, if the old one is deprecated
}

void invoke_nativehandle_options(native_handle handle, callback_origin cb_origin) const
{
  ......
}

and then call the open_session callback in the open function:

try
{
    config.invoke_nativehandle_options(m_hSession, open_session);
}
catch (...)
{
    return report_failure(_XPLATSTR("Error invoking native handle options"));
}

[ras0219-msft]

We definitely need APIs to allow setting options on the underlying native handles. To keep consistency with the existing callback APIs, it's probably best to add a separate api like @megaposer suggested above: set_nativehandle_session_options. It is unfortunate that on Windows there will be multiple APIs, but I feel it would be even worse to have the callback take an extra parameter on Windows instead.

It's also a good point that it's common enough to want to specify the desired protocols. It's something we can reasonably expect every underlying platform to support, so it definitely would be reasonable to have this as a first-class API.

[zoenie123]

Any updates on this issue?

[WolfgangVogl]

Are you still using version 2.7? I've read with 2.10 it's able to set WINHTTP_OPTION_SECURE_PROTOCOLS to enable tls 1.1/1.2.