awslabs · sbSteveK · Jun 16, 2026 · Jun 11, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -376,8 +376,27 @@ jobs:
       uses: actions/checkout@v4
       with:
         submodules: true
+    # GraalVM native-image requires MSVC but its built-in VS detection fails on newer
+    # runner images (e.g. windows-2025 with VS2026). We use vswhere to locate vcvarsall.bat
+    # and export the MSVC environment ourselves, which works regardless of VS version/path.
+    - name: Setup MSVC environment
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        $vswhere = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
+        if (-not (Test-Path $vswhere)) { throw "vswhere.exe not found" }
+        $vsPath = & $vswhere -latest -requires Microsoft.VisualStudio.Component.VC.Tools.x86.x64 -property installationPath
+        if (-not $vsPath) { throw "No VS installation with C++ tools found" }
+        $vcvarsall = Join-Path $vsPath "VC\Auxiliary\Build\vcvarsall.bat"
+        if (-not (Test-Path $vcvarsall)) { throw "vcvarsall.bat not found at $vcvarsall" }
+        cmd /c "`"$vcvarsall`" x64 && set" | ForEach-Object {
+          if ($_ -match '^([^=]+)=(.*)$') {
+            "$($matches[1])=$($matches[2])" | Out-File -FilePath $env:GITHUB_ENV -Append
+          }
+        }
+        Write-Host "MSVC environment configured from: $vsPath"
     - name: Setup GraalVM
-      uses: graalvm/setup-graalvm@v1
+      uses: graalvm/setup-graalvm@v1.5.5
       with:
         java-version: ${{ matrix.java-version }}
         distribution: 'graalvm'

diff --git a/crt/aws-c-io b/crt/aws-c-io
diff --git a/src/main/java/software/amazon/awssdk/crt/io/TlsContextOptions.java b/src/main/java/software/amazon/awssdk/crt/io/TlsContextOptions.java
@@ -80,6 +80,21 @@ public enum TlsVersions {
      */
     public boolean verifyPeer = false;
 
+    /**
+     * Set to true to disable certificate revocation checking during TLS negotiation.
+     *
+     * On Windows (SChannel), this prevents the TLS handshake from making outbound network calls
+     * to CRL/OCSP revocation endpoints, which can block for minutes when the endpoints are unreachable
+     * (e.g., in private subnets without internet access).
+     *
+     * On Linux (s2n), this disables validation of OCSP stapled responses provided by the server.
+     *
+     * On Apple platforms, this is a no-op as revocation checking is not enabled by default.
+     * 
+     * Default is false (revocation checking enabled where available).
+     */
+    public boolean noCertificateRevocation = false;
+
     private String certificate;
     private String privateKey;
     private String certificatePath;
@@ -119,6 +134,7 @@ public long getNativeHandle() {
                 caFile,
                 caDir,
                 verifyPeer,
+                noCertificateRevocation,
                 pkcs12Path,
                 pkcs12Password,
                 pkcs11Options,
@@ -551,6 +567,16 @@ public TlsContextOptions withVerifyPeer() {
         return this.withVerifyPeer(true);
     }
 
+    /**
+     * Disables certificate revocation checking during TLS negotiation.
+     *
+     * @return this
+     */
+    public TlsContextOptions withNoCertificateRevocation() {
+        this.noCertificateRevocation = true;
+        return this;
+    }
+
     /*******************************************************************************
      * native methods
      ******************************************************************************/
@@ -566,6 +592,7 @@ private static native long tlsContextOptionsNew(
                 String caFile,
                 String caDir,
                 boolean verifyPeer,
+                boolean noCertificateRevocation,
                 String pkcs12Path,
                 String pkcs12Password,
                 TlsContextPkcs11Options pkcs11Options,

diff --git a/src/native/tls_context_options.c b/src/native/tls_context_options.c
@@ -88,6 +88,7 @@ jlong JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOpt
     jstring jni_ca_filepath,
     jstring jni_ca_dirpath,
     jboolean jni_verify_peer,
+    jboolean jni_certificate_revocation_check_disabled,
     jstring jni_pkcs12_path,
     jstring jni_pkcs12_password,
     jobject jni_pkcs11_options,
@@ -304,6 +305,7 @@ jlong JNICALL Java_software_amazon_awssdk_crt_io_TlsContextOptions_tlsContextOpt
     tls->options.minimum_tls_version = (enum aws_tls_versions)jni_min_tls_version;
     tls->options.cipher_pref = (enum aws_tls_cipher_pref)jni_cipher_pref;
     tls->options.verify_peer = jni_verify_peer != 0;
+    tls->options.no_certificate_revocation = jni_certificate_revocation_check_disabled != 0;
 
     if (jni_alpn) {
         tls->alpn_list = aws_jni_new_string_from_jstring(env, jni_alpn);

diff --git a/src/test/java/software/amazon/awssdk/crt/test/HttpStreamManagerTest.java b/src/test/java/software/amazon/awssdk/crt/test/HttpStreamManagerTest.java
@@ -41,8 +41,8 @@
 import software.amazon.awssdk.crt.utils.ByteBufferUtils;
 
 public class HttpStreamManagerTest extends HttpRequestResponseFixture {
-    private final static String endpoint = "https://httpbin.org";
-    private final static String path = "/anything";
+    private final static String endpoint = "https://d1cz66xoahf9cl.cloudfront.net";
+    private final static String path = "/random_32_byte.data";
     private final String EMPTY_BODY = "";
     private final static int NUM_CONNECTIONS = 20;
     private final static Charset UTF8 = StandardCharsets.UTF_8;
+1 −1		.builder/actions/pkcs11_test_setup.py
+1 −0		.github/workflows/ci.yml
+31 −0		include/aws/io/tls_channel_handler.h
+13 −10		source/s2n/s2n_tls_channel_handler.c
+4 −0		source/tls_channel_handler.c
+3 −1		source/windows/secure_channel_tls_handler.c
+13 −0		tests/CMakeLists.txt
+24 −0		tests/tls_handler_test.c