Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aws-c-io for openSUSE:Factory checked in at 2026-06-22 17:27:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aws-c-io (Old) and /work/SRC/openSUSE:Factory/.aws-c-io.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-c-io" Mon Jun 22 17:27:55 2026 rev:40 rq:1360728 version:0.27.2 Changes: -------- --- /work/SRC/openSUSE:Factory/aws-c-io/aws-c-io.changes 2026-06-15 19:53:16.684160471 +0200 +++ /work/SRC/openSUSE:Factory/.aws-c-io.new.1956/aws-c-io.changes 2026-06-22 17:28:59.004792752 +0200 @@ -1,0 +2,8 @@ +Fri Jun 19 10:05:12 UTC 2026 - John Paul Adrian Glaubitz <[email protected]> + +- Update to version 0.27.2 + * Option to disable revocation check by @sbSteveK in (#806) +- from version 0.27.1 + * Minor fix by @azkrishpy in (#802) + +------------------------------------------------------------------- Old: ---- v0.27.0.tar.gz New: ---- v0.27.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aws-c-io.spec ++++++ --- /var/tmp/diff_new_pack.QmVa76/_old 2026-06-22 17:28:59.776819645 +0200 +++ /var/tmp/diff_new_pack.QmVa76/_new 2026-06-22 17:28:59.776819645 +0200 @@ -21,7 +21,7 @@ %define library_version 1.0.0 %define library_soversion 0unstable Name: aws-c-io -Version: 0.27.0 +Version: 0.27.2 Release: 0 Summary: I/O and TLS package AWS SDK for C License: Apache-2.0 ++++++ v0.27.0.tar.gz -> v0.27.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/.builder/actions/pkcs11_test_setup.py new/aws-c-io-0.27.2/.builder/actions/pkcs11_test_setup.py --- old/aws-c-io-0.27.0/.builder/actions/pkcs11_test_setup.py 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/.builder/actions/pkcs11_test_setup.py 2026-06-12 23:21:33.000000000 +0200 @@ -118,5 +118,5 @@ def _get_softhsm2_version(self): output = self._exec_softhsm2_util('--version').output - match = re.match(r'([0-9+])\.([0-9]+).([0-9]+)', output) + match = re.match(r'([0-9]+)\.([0-9]+)\.([0-9]+)', output) return (int(match.group(1)), int(match.group(2)), int(match.group(3))) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/.github/workflows/ci.yml new/aws-c-io-0.27.2/.github/workflows/ci.yml --- old/aws-c-io-0.27.0/.github/workflows/ci.yml 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/.github/workflows/ci.yml 2026-06-12 23:21:33.000000000 +0200 @@ -59,6 +59,7 @@ linux-compiler-compat: runs-on: ubuntu-24.04 # latest strategy: + fail-fast: false matrix: compiler: - name: clang-6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/include/aws/io/tls_channel_handler.h new/aws-c-io-0.27.2/include/aws/io/tls_channel_handler.h --- old/aws-c-io-0.27.0/include/aws/io/tls_channel_handler.h 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/include/aws/io/tls_channel_handler.h 2026-06-12 23:21:33.000000000 +0200 @@ -293,6 +293,22 @@ * cipher preferences that allow TLS 1.3. If this is set, we will always use non TLS 1.3 preferences. */ struct aws_custom_key_op_handler *custom_key_op_handler; + + /** + * Set to true to disable certificate revocation checking during TLS negotiation. + * + * On Windows (SChannel), this prevents the TLS handshake from making outbound network calls + * to CRL/OCSP revocation endpoints, which can block for minutes when the endpoints are unreachable + * (e.g., in private subnets without internet access). + * + * On Linux (s2n), this disables validation of OCSP stapled responses provided by the server. + * + * On Apple platforms, this is a no-op as revocation checking is not enabled by default. + * + * Default is false (Windows makes a best-effort certificate revocation check to CRL/OCSP and Linux (s2n) + * checks against stapled responses). + */ + bool no_certificate_revocation; }; struct aws_tls_negotiated_protocol_message { @@ -678,6 +694,21 @@ AWS_IO_API void aws_tls_ctx_options_set_verify_peer(struct aws_tls_ctx_options *options, bool verify_peer); /** + * Enables or disables certificate revocation checking during TLS negotiation. + * + * On Windows (SChannel), the TLS handshake will make outbound network calls to CRL/OCSP revocation endpoints and makes + * a best-effort check. In environments without internet access, this can cause the handshake to block for minutes while + * waiting for network timeouts. + * + * On Linux (s2n) checks against stapled responses + * + * Set this to true to skip revocation checking entirely. + */ +AWS_IO_API void aws_tls_ctx_options_set_no_certificate_revocation( + struct aws_tls_ctx_options *options, + bool no_revocation); + +/** * Sets preferred TLS Cipher List */ AWS_IO_API void aws_tls_ctx_options_set_tls_cipher_preference( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/source/s2n/s2n_tls_channel_handler.c new/aws-c-io-0.27.2/source/s2n/s2n_tls_channel_handler.c --- old/aws-c-io-0.27.0/source/s2n/s2n_tls_channel_handler.c 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/source/s2n/s2n_tls_channel_handler.c 2026-06-12 23:21:33.000000000 +0200 @@ -1698,17 +1698,20 @@ } if (options->verify_peer) { - if (s2n_config_set_check_stapled_ocsp_response(s2n_ctx->s2n_config, 1) == S2N_SUCCESS) { - if (s2n_config_set_status_request_type(s2n_ctx->s2n_config, S2N_STATUS_REQUEST_OCSP) != S2N_SUCCESS) { - s_log_and_raise_s2n_errno("ctx: ocsp status request cannot be set"); - goto cleanup_s2n_config; - } - } else { - if (s2n_error_get_type(s2n_errno) == S2N_ERR_T_USAGE) { - AWS_LOGF_INFO(AWS_LS_IO_TLS, "ctx: cannot enable ocsp stapling: %s", s2n_strerror(s2n_errno, "EN")); + + if (!options->no_certificate_revocation) { + if (s2n_config_set_check_stapled_ocsp_response(s2n_ctx->s2n_config, 1) == S2N_SUCCESS) { + if (s2n_config_set_status_request_type(s2n_ctx->s2n_config, S2N_STATUS_REQUEST_OCSP) != S2N_SUCCESS) { + s_log_and_raise_s2n_errno("ctx: ocsp status request cannot be set"); + goto cleanup_s2n_config; + } } else { - s_log_and_raise_s2n_errno("ctx: cannot enable ocsp stapling"); - goto cleanup_s2n_config; + if (s2n_error_get_type(s2n_errno) == S2N_ERR_T_USAGE) { + AWS_LOGF_INFO(AWS_LS_IO_TLS, "ctx: cannot enable ocsp stapling: %s", s2n_strerror(s2n_errno, "EN")); + } else { + s_log_and_raise_s2n_errno("ctx: cannot enable ocsp stapling"); + goto cleanup_s2n_config; + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/source/tls_channel_handler.c new/aws-c-io-0.27.2/source/tls_channel_handler.c --- old/aws-c-io-0.27.0/source/tls_channel_handler.c 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/source/tls_channel_handler.c 2026-06-12 23:21:33.000000000 +0200 @@ -511,6 +511,10 @@ options->verify_peer = verify_peer; } +void aws_tls_ctx_options_set_no_certificate_revocation(struct aws_tls_ctx_options *options, bool no_revocation) { + options->no_certificate_revocation = no_revocation; +} + void aws_tls_ctx_options_set_minimum_tls_version( struct aws_tls_ctx_options *options, enum aws_tls_versions minimum_tls_version) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/source/windows/secure_channel_tls_handler.c new/aws-c-io-0.27.2/source/windows/secure_channel_tls_handler.c --- old/aws-c-io-0.27.0/source/windows/secure_channel_tls_handler.c 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/source/windows/secure_channel_tls_handler.c 2026-06-12 23:21:33.000000000 +0200 @@ -2424,7 +2424,9 @@ dw_flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_NO_SERVERNAME_CHECK | SCH_CRED_MANUAL_CRED_VALIDATION; } else if (is_client_mode) { - dw_flags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + if (!options->no_certificate_revocation) { + dw_flags |= SCH_CRED_REVOCATION_CHECK_CHAIN | SCH_CRED_IGNORE_REVOCATION_OFFLINE; + } } /* if someone wants to use broken algorithms like rc4/md5/des they'll need to ask for a special control */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/tests/CMakeLists.txt new/aws-c-io-0.27.2/tests/CMakeLists.txt --- old/aws-c-io-0.27.0/tests/CMakeLists.txt 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/tests/CMakeLists.txt 2026-06-12 23:21:33.000000000 +0200 @@ -237,6 +237,19 @@ add_net_test_case(tls_client_channel_negotiation_no_verify_self_signed) add_net_test_case(tls_client_channel_negotiation_no_verify_untrusted_root) + # Badssl - Certificate Revocation (Windows only) + # On Windows, SChannel performs CRL/OCSP revocation checks by default. + if(WIN32) + add_net_test_case(tls_client_channel_negotiation_error_revoked) + endif() + + # This test verifies that our no_certificate_revocation option works. + # Runs on Windows (proves revocation is skipped) and Linux (proves option doesn't break s2n). + # Skipped on Apple where revocation is never checked and cert validity issues cause false failures. + if(NOT APPLE) + add_net_test_case(tls_client_channel_negotiation_revoked_no_check) + endif() + # Badssl - Broken Crypto endpoint suite # We don't include dh1024 as it succeeds on the windows baseline configuration and there does not seem # to be a way to disable it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-io-0.27.0/tests/tls_handler_test.c new/aws-c-io-0.27.2/tests/tls_handler_test.c --- old/aws-c-io-0.27.0/tests/tls_handler_test.c 2026-06-03 19:57:49.000000000 +0200 +++ new/aws-c-io-0.27.2/tests/tls_handler_test.c 2026-06-12 23:21:33.000000000 +0200 @@ -1781,6 +1781,30 @@ tls_client_channel_negotiation_no_verify_untrusted_root, s_tls_client_channel_negotiation_no_verify_untrusted_root_fn) +AWS_STATIC_STRING_FROM_LITERAL(s_revoked_host_name, "revoked.badssl.com"); + +# ifdef _WIN32 +/* On Windows, connecting to a revoked cert should fail with default options (revocation check enabled) */ +static int s_tls_client_channel_negotiation_error_revoked_fn(struct aws_allocator *allocator, void *ctx) { + (void)ctx; + return s_verify_negotiation_fails(allocator, s_revoked_host_name, 443, NULL); +} + +AWS_TEST_CASE(tls_client_channel_negotiation_error_revoked, s_tls_client_channel_negotiation_error_revoked_fn) +# endif /* _WIN32 */ + +static void s_disable_revocation_check(struct aws_tls_ctx_options *options) { + aws_tls_ctx_options_set_no_certificate_revocation(options, true); +} + +/* On Windows, connecting to a revoked cert should succeed when revocation checking is disabled */ +static int s_tls_client_channel_negotiation_revoked_no_check_fn(struct aws_allocator *allocator, void *ctx) { + (void)ctx; + return s_verify_good_host(allocator, s_revoked_host_name, 443, &s_disable_revocation_check); +} + +AWS_TEST_CASE(tls_client_channel_negotiation_revoked_no_check, s_tls_client_channel_negotiation_revoked_no_check_fn) + static void s_lower_tls_version_to_tls10(struct aws_tls_ctx_options *options) { aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1); }
