[llvm] [llvm][SupportHTTP] Guard SSL settings by Secure flag to avoid failing on plain HTTP (PR #188970)

via llvm-commits llvm-commits at lists.llvm.org
Fri Mar 27 04:37:03 PDT 2026 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-llvm-support

Author: Stefan Gränitz (weliveindetail)

<details>
<summary>Changes</summary>

This patch only adds the condition, so the flags are applied only for HTTPS URLs. No change in implementation.

---
Full diff: https://github.com/llvm/llvm-project/pull/188970.diff


1 Files Affected:

- (modified) llvm/lib/Support/HTTP/HTTPClient.cpp (+17-15) 


``````````diff
diff --git a/llvm/lib/Support/HTTP/HTTPClient.cpp b/llvm/lib/Support/HTTP/HTTPClient.cpp
index ce6820dfb1f5a..e5ff6e6bcacd3 100644
--- a/llvm/lib/Support/HTTP/HTTPClient.cpp
+++ b/llvm/lib/Support/HTTP/HTTPClient.cpp
@@ -296,21 +296,23 @@ Error HTTPClient::perform(const HTTPRequest &Request,
   if (!Session->RequestHandle)
     return createStringError(errc::io_error, "Failed to open HTTP request");
 
-  // Enforce checks that certificate wasn't revoked.
-  DWORD EnableRevocationChecks = WINHTTP_ENABLE_SSL_REVOCATION;
-  if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_ENABLE_FEATURE,
-                        &EnableRevocationChecks,
-                        sizeof(EnableRevocationChecks)))
-    return createStringError(errc::io_error,
-                             "Failed to enable certificate revocation checks");
-
-  // Explicitly enforce default validation. This protects against insecure
-  // overrides like SECURITY_FLAG_IGNORE_UNKNOWN_CA.
-  DWORD SecurityFlags = 0;
-  if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_SECURITY_FLAGS,
-                        &SecurityFlags, sizeof(SecurityFlags)))
-    return createStringError(errc::io_error,
-                             "Failed to enforce security flags");
+  if (Secure) {
+    // Enforce checks that certificate wasn't revoked.
+    DWORD EnableRevocationChecks = WINHTTP_ENABLE_SSL_REVOCATION;
+    if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_ENABLE_FEATURE,
+                          &EnableRevocationChecks,
+                          sizeof(EnableRevocationChecks)))
+      return createStringError(
+          errc::io_error, "Failed to enable certificate revocation checks");
+
+    // Explicitly enforce default validation. This protects against insecure
+    // overrides like SECURITY_FLAG_IGNORE_UNKNOWN_CA.
+    DWORD SecurityFlags = 0;
+    if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_SECURITY_FLAGS,
+                          &SecurityFlags, sizeof(SecurityFlags)))
+      return createStringError(errc::io_error,
+                               "Failed to enforce security flags");
+  }
 
   // Add headers
   for (const std::string &Header : Request.Headers) {

``````````

</details>


https://github.com/llvm/llvm-project/pull/188970

More information about the llvm-commits mailing list