Certificate store for https

Jun 22, 2015 at 7:18 PM
My understanding is that if we want to support https on the client side, we really just need to set the URI to be https. [discussion:639047]

Is it safe to assume that this is using the OS cert store (on all platforms) for cert validation, and is not configurable via the SDK?

We'll probably want to use a self-signed cert for testing, which means that:
  1. We'd need to use the native interfaces to configure OpenSSL [discussion:579967]
    , or
  2. Add the appropriate certs to the OS cert store temporarily.
Am I missing anything?
Jun 22, 2015 at 8:07 PM
Hi jatzinger,

Yes you are correct to use HTTPS all you need to do is specify it as the scheme in the URI. Yes we use the OS certificate store for each of the platforms appropriately. Our implementation for non-Windows platforms is based on Boost.Asio and OpenSSL. For Windows desktop, WinHttp, and the Windows Runtime IXmlHttpRequest2. For each of these platforms you will potentially need to setup the certificates differently. What platform are you using?

For example if you are using OS X or iOS you can see the platform specific certificate code here. Depending on exactly what you need to do another option to turn off server certificate verification, using http_client_config::set_validate_certificates(...). Please note because about using this API since it will end up ignoring all server certificate errors.

Jun 22, 2015 at 9:10 PM
Thanks Steve.

Initially, we're targeting Vista+ (desktop) and Linux. Mac and Mobile may follow someday, but they are not the priority right now.
We really just want to be able to specify a cert chain that isn't in the OS cert store, which shouldn't be too hard.

Turning off cert validation will be good to have in the back pocket, and until the server side is ready.

We'll have to do some platform-specific stuff via set_nativehandle_options if we decide to do mutual auth someday, it looks like?
Jun 22, 2015 at 10:26 PM
Hi jatzinger,

Yes we only have high level authentication support with the http_client on Windows right now. You will have to use the set_nativehandle_options or do some other form of authentication yourself.