bind no_certificate_revocation option

Author: sbSteveK

awscrt/io.py

@@ -309,6 +309,12 @@ class TlsContextOptions:
             System defaults are used by default.
         cipher_pref (TlsCipherPref): The TLS Cipher Preference to use. System defaults are used by default.
         verify_peer (bool): Whether to validate the peer's x.509 certificate.
+        no_certificate_revocation (bool): Set to true to disable certificate revocation checking during TLS negotiation.
+            On Windows (SChannel), this prevents the TLS handshake from making outbound network calls
+            to CRL/OCSP revocation endpoints, which can block for minutes when the endpoints are unreachable
+            (e.g., in private subnets without internet access).
+            On Linux (s2n), this disables validation of OCSP stapled responses provided by the server.
+            On Apple platforms, this is a no-op as revocation checking is not enabled by default.
         alpn_list (Optional[List[str]]): If set, names to use in Application Layer
             Protocol Negotiation (ALPN). ALPN is not supported on all systems,
             see :meth:`is_alpn_available()`. This can be customized per connection,
@@ -325,6 +331,7 @@ class TlsContextOptions:
         'pkcs12_filepath',
         'pkcs12_password',
         'verify_peer',
+        'no_certificate_revocation',
         '_pkcs11_lib',
         '_pkcs11_user_pin',
         '_pkcs11_slot_id',
@@ -343,6 +350,7 @@ def __init__(self):
         self.min_tls_ver = TlsVersion.DEFAULT
         self.cipher_pref = TlsCipherPref.DEFAULT
         self.verify_peer = True
+        self.no_certificate_revocation = False
 
     @staticmethod
     def create_client_with_mtls_from_path(cert_filepath, pk_filepath):
@@ -627,6 +635,7 @@ def __init__(self, options):
             options.pkcs12_filepath,
             options.pkcs12_password,
             options.verify_peer,
+            options.no_certificate_revocation,
             options._pkcs11_lib,
             options._pkcs11_user_pin,
             options._pkcs11_slot_id,

source/io.c

@@ -427,6 +427,7 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
     const char *pkcs12_filepath;
     const char *pkcs12_password;
     int verify_peer; /* p - boolean predicate */
+    int no_certificate_revocation; /* p - boolean predicate */
     PyObject *py_pkcs11_lib;
     const char *pkcs11_user_pin;
     Py_ssize_t pkcs11_user_pin_len;
@@ -443,7 +444,7 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
 
     if (!PyArg_ParseTuple(
             args,
-            "iizz#zz#z#zzpOz#Oz#z#z#z#z",
+            "iizz#zz#z#zzppOz#Oz#z#z#z#z",
             /* i */ &min_tls_version,
             /* i */ &cipher_pref,
             /* z */ &ca_dirpath,
@@ -457,6 +458,7 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
             /* z */ &pkcs12_filepath,
             /* z */ &pkcs12_password,
             /* p */ &verify_peer,
+            /* p */ &no_certificate_revocation,
             /* O */ &py_pkcs11_lib,
             /* z */ &pkcs11_user_pin,
             /* # */ &pkcs11_user_pin_len,
@@ -560,6 +562,8 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
     }
 
     ctx_options.verify_peer = (bool)verify_peer;
+    ctx_options.no_certificate_revocation = (bool)no_certificate_revocation;
+
     struct aws_tls_ctx *tls_ctx = aws_tls_client_ctx_new(allocator, &ctx_options);
     if (!tls_ctx) {
         PyErr_SetAwsLastError();