@@ -309,6 +309,12 @@ class TlsContextOptions:
309309 System defaults are used by default.
310310 cipher_pref (TlsCipherPref): The TLS Cipher Preference to use. System defaults are used by default.
311311 verify_peer (bool): Whether to validate the peer's x.509 certificate.
312+ no_certificate_revocation (bool): Set to true to disable certificate revocation checking during TLS negotiation.
313+ On Windows (SChannel), this prevents the TLS handshake from making outbound network calls
314+ to CRL/OCSP revocation endpoints, which can block for minutes when the endpoints are unreachable
315+ (e.g., in private subnets without internet access).
316+ On Linux (s2n), this disables validation of OCSP stapled responses provided by the server.
317+ On Apple platforms, this is a no-op as revocation checking is not enabled by default.
312318 alpn_list (Optional[List[str]]): If set, names to use in Application Layer
313319 Protocol Negotiation (ALPN). ALPN is not supported on all systems,
314320 see :meth:`is_alpn_available()`. This can be customized per connection,
@@ -325,6 +331,7 @@ class TlsContextOptions:
325331 'pkcs12_filepath' ,
326332 'pkcs12_password' ,
327333 'verify_peer' ,
334+ 'no_certificate_revocation' ,
328335 '_pkcs11_lib' ,
329336 '_pkcs11_user_pin' ,
330337 '_pkcs11_slot_id' ,
@@ -343,6 +350,7 @@ def __init__(self):
343350 self .min_tls_ver = TlsVersion .DEFAULT
344351 self .cipher_pref = TlsCipherPref .DEFAULT
345352 self .verify_peer = True
353+ self .no_certificate_revocation = False
346354
347355 @staticmethod
348356 def create_client_with_mtls_from_path (cert_filepath , pk_filepath ):
@@ -627,6 +635,7 @@ def __init__(self, options):
627635 options .pkcs12_filepath ,
628636 options .pkcs12_password ,
629637 options .verify_peer ,
638+ options .no_certificate_revocation ,
630639 options ._pkcs11_lib ,
631640 options ._pkcs11_user_pin ,
632641 options ._pkcs11_slot_id ,
0 commit comments