Skip to content

noCertificateRevocation option binding #748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbSteveK merged 6 commits into from
Jun 16, 2026
Merged

noCertificateRevocation option binding #748

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f441058
aws-c-io -> v0.27.2
sbSteveK Jun 15, 2026
01f8085
bind no_certificate_revocation option
sbSteveK Jun 15, 2026
ac908a4
lint
sbSteveK Jun 15, 2026
65d7c5a
add vs_version 18 to setup.py
sbSteveK Jun 15, 2026
41ca07d
use vswhere.exe for python to find MSVS install if other methods fail
sbSteveK Jun 15, 2026
02e3e97
search for MSVS in 18 instead of 2026
sbSteveK Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions awscrt/io.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,12 @@ class TlsContextOptions:
System defaults are used by default.
cipher_pref (TlsCipherPref): The TLS Cipher Preference to use. System defaults are used by default.
verify_peer (bool): Whether to validate the peer's x.509 certificate.
no_certificate_revocation (bool): Set to true to disable certificate revocation checking during TLS negotiation.
On Windows (SChannel), this prevents the TLS handshake from making outbound network calls
to CRL/OCSP revocation endpoints, which can block for minutes when the endpoints are unreachable
(e.g., in private subnets without internet access).
On Linux (s2n), this disables validation of OCSP stapled responses provided by the server.
On Apple platforms, this is a no-op as revocation checking is not enabled by default.
alpn_list (Optional[List[str]]): If set, names to use in Application Layer
Protocol Negotiation (ALPN). ALPN is not supported on all systems,
see :meth:`is_alpn_available()`. This can be customized per connection,
Expand All @@ -325,6 +331,7 @@ class TlsContextOptions:
'pkcs12_filepath',
'pkcs12_password',
'verify_peer',
'no_certificate_revocation',
'_pkcs11_lib',
'_pkcs11_user_pin',
'_pkcs11_slot_id',
Expand All @@ -343,6 +350,7 @@ def __init__(self):
self.min_tls_ver = TlsVersion.DEFAULT
self.cipher_pref = TlsCipherPref.DEFAULT
self.verify_peer = True
self.no_certificate_revocation = False

@staticmethod
def create_client_with_mtls_from_path(cert_filepath, pk_filepath):
Expand Down Expand Up @@ -627,6 +635,7 @@ def __init__(self, options):
options.pkcs12_filepath,
options.pkcs12_password,
options.verify_peer,
options.no_certificate_revocation,
options._pkcs11_lib,
options._pkcs11_user_pin,
options._pkcs11_slot_id,
Expand Down
2 changes: 1 addition & 1 deletion crt/aws-c-io
Open in desktop
Submodule aws-c-io updated 8 files
+1 −1 .builder/actions/pkcs11_test_setup.py
+1 −0 .github/workflows/ci.yml
+31 −0 include/aws/io/tls_channel_handler.h
+13 −10 source/s2n/s2n_tls_channel_handler.c
+4 −0 source/tls_channel_handler.c
+3 −1 source/windows/secure_channel_tls_handler.c
+13 −0 tests/CMakeLists.txt
+24 −0 tests/tls_handler_test.c
5 changes: 4 additions & 1 deletion setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,10 @@ def determine_generator_args(cmake_version=None, windows_sdk_version=None):
# This technique may not work with customized VS install paths.
# An alternative would be to utilize private python calls:
# (distutils._msvccompiler._find_vc2017() and _find_vc2015()).
if '\\Microsoft Visual Studio\\2022' in compiler.cc:
if '\\Microsoft Visual Studio\\18' in compiler.cc:

@TingDaoK TingDaoK Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

vs_version = 18
vs_year = 2026
elif '\\Microsoft Visual Studio\\2022' in compiler.cc:
vs_version = 17
vs_year = 2022
elif '\\Microsoft Visual Studio\\2019' in compiler.cc:
Expand Down
8 changes: 6 additions & 2 deletions source/io.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,7 +426,8 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
Py_ssize_t private_key_buffer_len;
const char *pkcs12_filepath;
const char *pkcs12_password;
int verify_peer; /* p - boolean predicate */
int verify_peer;
int no_certificate_revocation;
PyObject *py_pkcs11_lib;
const char *pkcs11_user_pin;
Py_ssize_t pkcs11_user_pin_len;
Expand All @@ -443,7 +444,7 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {

if (!PyArg_ParseTuple(
args,
"iizz#zz#z#zzpOz#Oz#z#z#z#z",
"iizz#zz#z#zzppOz#Oz#z#z#z#z",
/* i */ &min_tls_version,
/* i */ &cipher_pref,
/* z */ &ca_dirpath,
Expand All @@ -457,6 +458,7 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
/* z */ &pkcs12_filepath,
/* z */ &pkcs12_password,
/* p */ &verify_peer,
/* p */ &no_certificate_revocation,
/* O */ &py_pkcs11_lib,
/* z */ &pkcs11_user_pin,
/* # */ &pkcs11_user_pin_len,
Expand Down Expand Up @@ -560,6 +562,8 @@ PyObject *aws_py_client_tls_ctx_new(PyObject *self, PyObject *args) {
}

ctx_options.verify_peer = (bool)verify_peer;
ctx_options.no_certificate_revocation = (bool)no_certificate_revocation;

struct aws_tls_ctx *tls_ctx = aws_tls_client_ctx_new(allocator, &ctx_options);
if (!tls_ctx) {
PyErr_SetAwsLastError();
Expand Down
Loading