[llvm] 2813525 - [llvm][SupportHTTP] Guard SSL settings by Secure flag to avoid failing on plain HTTP (#188970)

via llvm-commits llvm-commits at lists.llvm.org
Fri Mar 27 05:15:55 PDT 2026 

Author: Stefan Gränitz
Date: 2026-03-27T12:15:51Z
New Revision: 28135251aee08e5f0f56b83b248cb30ef7d752a7

URL: https://github.com/llvm/llvm-project/commit/28135251aee08e5f0f56b83b248cb30ef7d752a7
DIFF: https://github.com/llvm/llvm-project/commit/28135251aee08e5f0f56b83b248cb30ef7d752a7.diff

LOG: [llvm][SupportHTTP] Guard SSL settings by Secure flag to avoid failing on plain HTTP (#188970)

This patch only adds the condition, so the flags are applied only for
HTTPS URLs. No change in implementation.

Added: 
    

Modified: 
    llvm/lib/Support/HTTP/HTTPClient.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Support/HTTP/HTTPClient.cpp b/llvm/lib/Support/HTTP/HTTPClient.cpp
index ce6820dfb1f5a..e5ff6e6bcacd3 100644
--- a/llvm/lib/Support/HTTP/HTTPClient.cpp
+++ b/llvm/lib/Support/HTTP/HTTPClient.cpp
@@ -296,21 +296,23 @@ Error HTTPClient::perform(const HTTPRequest &Request,
   if (!Session->RequestHandle)
     return createStringError(errc::io_error, "Failed to open HTTP request");
 
-  // Enforce checks that certificate wasn't revoked.
-  DWORD EnableRevocationChecks = WINHTTP_ENABLE_SSL_REVOCATION;
-  if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_ENABLE_FEATURE,
-                        &EnableRevocationChecks,
-                        sizeof(EnableRevocationChecks)))
-    return createStringError(errc::io_error,
-                             "Failed to enable certificate revocation checks");
-
-  // Explicitly enforce default validation. This protects against insecure
-  // overrides like SECURITY_FLAG_IGNORE_UNKNOWN_CA.
-  DWORD SecurityFlags = 0;
-  if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_SECURITY_FLAGS,
-                        &SecurityFlags, sizeof(SecurityFlags)))
-    return createStringError(errc::io_error,
-                             "Failed to enforce security flags");
+  if (Secure) {
+    // Enforce checks that certificate wasn't revoked.
+    DWORD EnableRevocationChecks = WINHTTP_ENABLE_SSL_REVOCATION;
+    if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_ENABLE_FEATURE,
+                          &EnableRevocationChecks,
+                          sizeof(EnableRevocationChecks)))
+      return createStringError(
+          errc::io_error, "Failed to enable certificate revocation checks");
+
+    // Explicitly enforce default validation. This protects against insecure
+    // overrides like SECURITY_FLAG_IGNORE_UNKNOWN_CA.
+    DWORD SecurityFlags = 0;
+    if (!WinHttpSetOption(Session->RequestHandle, WINHTTP_OPTION_SECURITY_FLAGS,
+                          &SecurityFlags, sizeof(SecurityFlags)))
+      return createStringError(errc::io_error,
+                               "Failed to enforce security flags");
+  }
 
   // Add headers
   for (const std::string &Header : Request.Headers) {

More information about the llvm-commits mailing list