fix(cpp): honor SSL_CERT_FILE via CURLOPT_CAINFO for TLS on Android#866
fix(cpp): honor SSL_CERT_FILE via CURLOPT_CAINFO for TLS on Android#866sheetalarkadam wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR fixes TLS certificate verification failures on Android (and any platform where the bundled statically-linked libcurl has a non-existent compiled-in default CA path). Previously the caller-provided trust store set via SSL_CERT_FILE was silently ignored, causing every HTTPS request to Azure to fail with "self-signed certificate in certificate chain". The fix reads SSL_CERT_FILE in the SDK core and forwards it explicitly to libcurl through CurlTransportOptions.CAInfo (CURLOPT_CAINFO), which libcurl always honors. The change is additive and guarded to the libcurl (non-WinHTTP) transport path, so desktop Windows (WinHTTP/SChannel) is unaffected.
Changes:
- In both
HttpRequestRawandHttpDownloadFile, constructCurlTransportwithCurlTransportOptionswhoseCAInfois populated fromSSL_CERT_FILE(only when set and non-empty). - Add
<cstdlib>include forstd::getenvin both files. - Correct the
AndroidBuildPlan.mdSSL section to reflect that neitherSSL_CERT_DIRnorSSL_CERT_FILEis auto-consulted, and that the Core forwardsSSL_CERT_FILEtoCAInfo.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| sdk_v2/cpp/src/http/http_client.cc | Forwards SSL_CERT_FILE to CurlTransportOptions.CAInfo for the request path; adds <cstdlib>. |
| sdk_v2/cpp/src/http/http_download.cc | Applies the same CAInfo forwarding for the file-download path; adds <cstdlib>. |
| sdk_v2/cpp/docs/AndroidBuildPlan.md | Updates SSL documentation to describe the corrected mechanism and rationale. |
The bundled libcurl does not consult the SSL_CERT_FILE (or SSL_CERT_DIR)
environment variable at request time: it was built with a compiled-in default
CA path that does not exist on Android, and without the fallback that would
otherwise read SSL_CERT_FILE. As a result the caller-provided trust store was
never used and HTTPS requests to Azure failed verification ('self-signed
certificate in certificate chain' for the catalog, 'unable to get local issuer
certificate' for blob downloads).
Every libcurl-based transport must therefore pass the bundle explicitly via
CURLOPT_CAINFO, which libcurl always honors. Add a shared http::CaBundleFile()
helper (reads SSL_CERT_FILE) and route all four transports through it:
- http_client.cc (HttpRequestRaw) -> CurlTransportOptions.CAInfo
- http_download.cc (HttpDownloadFile) -> CurlTransportOptions.CAInfo
- blob_downloader.cc (ListBlobs + -> MakeBlobClientOptions() installs a
DownloadBlob, via the Azure Storage CurlTransport(CAInfo) on the SDK's
SDK's own transport) BlobClientOptions
The WinHTTP (desktop Windows) path uses the OS trust store and is unaffected.
Also corrects the AndroidBuildPlan.md SSL section, which previously claimed
SSL_CERT_FILE was honored on its own.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
7ce3082 to
3ba8e52
Compare
The bundled libcurl does not consult the SSL_CERT_FILE (or SSL_CERT_DIR) environment variable at request time: it was built with a compiled-in default CA path that does not exist on Android, and without the fallback that would otherwise read SSL_CERT_FILE. As a result the caller-provided trust store was never used and every HTTPS request to Azure failed verification with 'self-signed certificate in certificate chain'.
Read SSL_CERT_FILE and forward it explicitly to libcurl via CurlTransportOptions.CAInfo (CURLOPT_CAINFO), which libcurl always honors, in both HttpRequestRaw and HttpDownloadFile. The WinHTTP (desktop Windows) path is unaffected. Also corrects the AndroidBuildPlan.md SSL section, which previously claimed SSL_CERT_FILE was honored on its own.