Skip to content

fix(cpp): honor SSL_CERT_FILE via CURLOPT_CAINFO for TLS on Android#866

Draft
sheetalarkadam wants to merge 1 commit into
mainfrom
android-ssl-cainfo-fix
Draft

fix(cpp): honor SSL_CERT_FILE via CURLOPT_CAINFO for TLS on Android#866
sheetalarkadam wants to merge 1 commit into
mainfrom
android-ssl-cainfo-fix

Conversation

@sheetalarkadam

Copy link
Copy Markdown

The bundled libcurl does not consult the SSL_CERT_FILE (or SSL_CERT_DIR) environment variable at request time: it was built with a compiled-in default CA path that does not exist on Android, and without the fallback that would otherwise read SSL_CERT_FILE. As a result the caller-provided trust store was never used and every HTTPS request to Azure failed verification with 'self-signed certificate in certificate chain'.

Read SSL_CERT_FILE and forward it explicitly to libcurl via CurlTransportOptions.CAInfo (CURLOPT_CAINFO), which libcurl always honors, in both HttpRequestRaw and HttpDownloadFile. The WinHTTP (desktop Windows) path is unaffected. Also corrects the AndroidBuildPlan.md SSL section, which previously claimed SSL_CERT_FILE was honored on its own.

@sheetalarkadam sheetalarkadam requested a review from Copilot July 8, 2026 02:07
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
foundry-local Ready Ready Preview, Comment Jul 9, 2026 10:29pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes TLS certificate verification failures on Android (and any platform where the bundled statically-linked libcurl has a non-existent compiled-in default CA path). Previously the caller-provided trust store set via SSL_CERT_FILE was silently ignored, causing every HTTPS request to Azure to fail with "self-signed certificate in certificate chain". The fix reads SSL_CERT_FILE in the SDK core and forwards it explicitly to libcurl through CurlTransportOptions.CAInfo (CURLOPT_CAINFO), which libcurl always honors. The change is additive and guarded to the libcurl (non-WinHTTP) transport path, so desktop Windows (WinHTTP/SChannel) is unaffected.

Changes:

  • In both HttpRequestRaw and HttpDownloadFile, construct CurlTransport with CurlTransportOptions whose CAInfo is populated from SSL_CERT_FILE (only when set and non-empty).
  • Add <cstdlib> include for std::getenv in both files.
  • Correct the AndroidBuildPlan.md SSL section to reflect that neither SSL_CERT_DIR nor SSL_CERT_FILE is auto-consulted, and that the Core forwards SSL_CERT_FILE to CAInfo.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
sdk_v2/cpp/src/http/http_client.cc Forwards SSL_CERT_FILE to CurlTransportOptions.CAInfo for the request path; adds <cstdlib>.
sdk_v2/cpp/src/http/http_download.cc Applies the same CAInfo forwarding for the file-download path; adds <cstdlib>.
sdk_v2/cpp/docs/AndroidBuildPlan.md Updates SSL documentation to describe the corrected mechanism and rationale.

The bundled libcurl does not consult the SSL_CERT_FILE (or SSL_CERT_DIR)
environment variable at request time: it was built with a compiled-in default
CA path that does not exist on Android, and without the fallback that would
otherwise read SSL_CERT_FILE. As a result the caller-provided trust store was
never used and HTTPS requests to Azure failed verification ('self-signed
certificate in certificate chain' for the catalog, 'unable to get local issuer
certificate' for blob downloads).

Every libcurl-based transport must therefore pass the bundle explicitly via
CURLOPT_CAINFO, which libcurl always honors. Add a shared http::CaBundleFile()
helper (reads SSL_CERT_FILE) and route all four transports through it:
  - http_client.cc  (HttpRequestRaw)      -> CurlTransportOptions.CAInfo
  - http_download.cc (HttpDownloadFile)    -> CurlTransportOptions.CAInfo
  - blob_downloader.cc (ListBlobs +        -> MakeBlobClientOptions() installs a
    DownloadBlob, via the Azure Storage       CurlTransport(CAInfo) on the SDK's
    SDK's own transport)                       BlobClientOptions

The WinHTTP (desktop Windows) path uses the OS trust store and is unaffected.
Also corrects the AndroidBuildPlan.md SSL section, which previously claimed
SSL_CERT_FILE was honored on its own.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants