Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package aws-c-io for openSUSE:Factory 
checked in at 2026-06-22 17:27:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/aws-c-io (Old)
 and      /work/SRC/openSUSE:Factory/.aws-c-io.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "aws-c-io"

Mon Jun 22 17:27:55 2026 rev:40 rq:1360728 version:0.27.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/aws-c-io/aws-c-io.changes        2026-06-15 
19:53:16.684160471 +0200
+++ /work/SRC/openSUSE:Factory/.aws-c-io.new.1956/aws-c-io.changes      
2026-06-22 17:28:59.004792752 +0200
@@ -1,0 +2,8 @@
+Fri Jun 19 10:05:12 UTC 2026 - John Paul Adrian Glaubitz 
<[email protected]>
+
+- Update to version 0.27.2
+  * Option to disable revocation check by @sbSteveK in (#806)
+- from version 0.27.1
+  * Minor fix by @azkrishpy in (#802)
+
+-------------------------------------------------------------------

Old:
----
  v0.27.0.tar.gz

New:
----
  v0.27.2.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ aws-c-io.spec ++++++
--- /var/tmp/diff_new_pack.QmVa76/_old  2026-06-22 17:28:59.776819645 +0200
+++ /var/tmp/diff_new_pack.QmVa76/_new  2026-06-22 17:28:59.776819645 +0200
@@ -21,7 +21,7 @@
 %define library_version 1.0.0
 %define library_soversion 0unstable
 Name:           aws-c-io
-Version:        0.27.0
+Version:        0.27.2
 Release:        0
 Summary:        I/O and TLS package AWS SDK for C
 License:        Apache-2.0

++++++ v0.27.0.tar.gz -> v0.27.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/aws-c-io-0.27.0/.builder/actions/pkcs11_test_setup.py 
new/aws-c-io-0.27.2/.builder/actions/pkcs11_test_setup.py
--- old/aws-c-io-0.27.0/.builder/actions/pkcs11_test_setup.py   2026-06-03 
19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/.builder/actions/pkcs11_test_setup.py   2026-06-12 
23:21:33.000000000 +0200
@@ -118,5 +118,5 @@
 
     def _get_softhsm2_version(self):
         output = self._exec_softhsm2_util('--version').output
-        match = re.match(r'([0-9+])\.([0-9]+).([0-9]+)', output)
+        match = re.match(r'([0-9]+)\.([0-9]+)\.([0-9]+)', output)
         return (int(match.group(1)), int(match.group(2)), int(match.group(3)))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/aws-c-io-0.27.0/.github/workflows/ci.yml 
new/aws-c-io-0.27.2/.github/workflows/ci.yml
--- old/aws-c-io-0.27.0/.github/workflows/ci.yml        2026-06-03 
19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/.github/workflows/ci.yml        2026-06-12 
23:21:33.000000000 +0200
@@ -59,6 +59,7 @@
   linux-compiler-compat:
     runs-on: ubuntu-24.04 # latest
     strategy:
+      fail-fast: false
       matrix:
         compiler:
           - name: clang-6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/aws-c-io-0.27.0/include/aws/io/tls_channel_handler.h 
new/aws-c-io-0.27.2/include/aws/io/tls_channel_handler.h
--- old/aws-c-io-0.27.0/include/aws/io/tls_channel_handler.h    2026-06-03 
19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/include/aws/io/tls_channel_handler.h    2026-06-12 
23:21:33.000000000 +0200
@@ -293,6 +293,22 @@
      * cipher preferences that allow TLS 1.3. If this is set, we will always 
use non TLS 1.3 preferences.
      */
     struct aws_custom_key_op_handler *custom_key_op_handler;
+
+    /**
+     * Set to true to disable certificate revocation checking during TLS 
negotiation.
+     *
+     * On Windows (SChannel), this prevents the TLS handshake from making 
outbound network calls
+     * to CRL/OCSP revocation endpoints, which can block for minutes when the 
endpoints are unreachable
+     * (e.g., in private subnets without internet access).
+     *
+     * On Linux (s2n), this disables validation of OCSP stapled responses 
provided by the server.
+     *
+     * On Apple platforms, this is a no-op as revocation checking is not 
enabled by default.
+     *
+     * Default is false (Windows makes a best-effort certificate revocation 
check to CRL/OCSP and Linux (s2n)
+     * checks against stapled responses).
+     */
+    bool no_certificate_revocation;
 };
 
 struct aws_tls_negotiated_protocol_message {
@@ -678,6 +694,21 @@
 AWS_IO_API void aws_tls_ctx_options_set_verify_peer(struct aws_tls_ctx_options 
*options, bool verify_peer);
 
 /**
+ * Enables or disables certificate revocation checking during TLS negotiation.
+ *
+ * On Windows (SChannel), the TLS handshake will make outbound network calls 
to CRL/OCSP revocation endpoints and makes
+ * a best-effort check. In environments without internet access, this can 
cause the handshake to block for minutes while
+ * waiting for network timeouts.
+ *
+ * On Linux (s2n) checks against stapled responses
+ *
+ * Set this to true to skip revocation checking entirely.
+ */
+AWS_IO_API void aws_tls_ctx_options_set_no_certificate_revocation(
+    struct aws_tls_ctx_options *options,
+    bool no_revocation);
+
+/**
  * Sets preferred TLS Cipher List
  */
 AWS_IO_API void aws_tls_ctx_options_set_tls_cipher_preference(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/aws-c-io-0.27.0/source/s2n/s2n_tls_channel_handler.c 
new/aws-c-io-0.27.2/source/s2n/s2n_tls_channel_handler.c
--- old/aws-c-io-0.27.0/source/s2n/s2n_tls_channel_handler.c    2026-06-03 
19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/source/s2n/s2n_tls_channel_handler.c    2026-06-12 
23:21:33.000000000 +0200
@@ -1698,17 +1698,20 @@
     }
 
     if (options->verify_peer) {
-        if (s2n_config_set_check_stapled_ocsp_response(s2n_ctx->s2n_config, 1) 
== S2N_SUCCESS) {
-            if (s2n_config_set_status_request_type(s2n_ctx->s2n_config, 
S2N_STATUS_REQUEST_OCSP) != S2N_SUCCESS) {
-                s_log_and_raise_s2n_errno("ctx: ocsp status request cannot be 
set");
-                goto cleanup_s2n_config;
-            }
-        } else {
-            if (s2n_error_get_type(s2n_errno) == S2N_ERR_T_USAGE) {
-                AWS_LOGF_INFO(AWS_LS_IO_TLS, "ctx: cannot enable ocsp 
stapling: %s", s2n_strerror(s2n_errno, "EN"));
+
+        if (!options->no_certificate_revocation) {
+            if 
(s2n_config_set_check_stapled_ocsp_response(s2n_ctx->s2n_config, 1) == 
S2N_SUCCESS) {
+                if (s2n_config_set_status_request_type(s2n_ctx->s2n_config, 
S2N_STATUS_REQUEST_OCSP) != S2N_SUCCESS) {
+                    s_log_and_raise_s2n_errno("ctx: ocsp status request cannot 
be set");
+                    goto cleanup_s2n_config;
+                }
             } else {
-                s_log_and_raise_s2n_errno("ctx: cannot enable ocsp stapling");
-                goto cleanup_s2n_config;
+                if (s2n_error_get_type(s2n_errno) == S2N_ERR_T_USAGE) {
+                    AWS_LOGF_INFO(AWS_LS_IO_TLS, "ctx: cannot enable ocsp 
stapling: %s", s2n_strerror(s2n_errno, "EN"));
+                } else {
+                    s_log_and_raise_s2n_errno("ctx: cannot enable ocsp 
stapling");
+                    goto cleanup_s2n_config;
+                }
             }
         }
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/aws-c-io-0.27.0/source/tls_channel_handler.c 
new/aws-c-io-0.27.2/source/tls_channel_handler.c
--- old/aws-c-io-0.27.0/source/tls_channel_handler.c    2026-06-03 
19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/source/tls_channel_handler.c    2026-06-12 
23:21:33.000000000 +0200
@@ -511,6 +511,10 @@
     options->verify_peer = verify_peer;
 }
 
+void aws_tls_ctx_options_set_no_certificate_revocation(struct 
aws_tls_ctx_options *options, bool no_revocation) {
+    options->no_certificate_revocation = no_revocation;
+}
+
 void aws_tls_ctx_options_set_minimum_tls_version(
     struct aws_tls_ctx_options *options,
     enum aws_tls_versions minimum_tls_version) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/aws-c-io-0.27.0/source/windows/secure_channel_tls_handler.c 
new/aws-c-io-0.27.2/source/windows/secure_channel_tls_handler.c
--- old/aws-c-io-0.27.0/source/windows/secure_channel_tls_handler.c     
2026-06-03 19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/source/windows/secure_channel_tls_handler.c     
2026-06-12 23:21:33.000000000 +0200
@@ -2424,7 +2424,9 @@
         dw_flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | 
SCH_CRED_IGNORE_REVOCATION_OFFLINE |
                     SCH_CRED_NO_SERVERNAME_CHECK | 
SCH_CRED_MANUAL_CRED_VALIDATION;
     } else if (is_client_mode) {
-        dw_flags |= SCH_CRED_REVOCATION_CHECK_CHAIN | 
SCH_CRED_IGNORE_REVOCATION_OFFLINE;
+        if (!options->no_certificate_revocation) {
+            dw_flags |= SCH_CRED_REVOCATION_CHECK_CHAIN | 
SCH_CRED_IGNORE_REVOCATION_OFFLINE;
+        }
     }
 
     /* if someone wants to use broken algorithms like rc4/md5/des they'll need 
to ask for a special control */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/aws-c-io-0.27.0/tests/CMakeLists.txt 
new/aws-c-io-0.27.2/tests/CMakeLists.txt
--- old/aws-c-io-0.27.0/tests/CMakeLists.txt    2026-06-03 19:57:49.000000000 
+0200
+++ new/aws-c-io-0.27.2/tests/CMakeLists.txt    2026-06-12 23:21:33.000000000 
+0200
@@ -237,6 +237,19 @@
     add_net_test_case(tls_client_channel_negotiation_no_verify_self_signed)
     add_net_test_case(tls_client_channel_negotiation_no_verify_untrusted_root)
 
+    # Badssl - Certificate Revocation (Windows only)
+    # On Windows, SChannel performs CRL/OCSP revocation checks by default.
+    if(WIN32)
+        add_net_test_case(tls_client_channel_negotiation_error_revoked)
+    endif()
+
+    # This test verifies that our no_certificate_revocation option works.
+    # Runs on Windows (proves revocation is skipped) and Linux (proves option 
doesn't break s2n).
+    # Skipped on Apple where revocation is never checked and cert validity 
issues cause false failures.
+    if(NOT APPLE)
+        add_net_test_case(tls_client_channel_negotiation_revoked_no_check)
+    endif()
+
     # Badssl - Broken Crypto endpoint suite
     # We don't include dh1024 as it succeeds on the windows baseline 
configuration and there does not seem
     # to be a way to disable it
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/aws-c-io-0.27.0/tests/tls_handler_test.c 
new/aws-c-io-0.27.2/tests/tls_handler_test.c
--- old/aws-c-io-0.27.0/tests/tls_handler_test.c        2026-06-03 
19:57:49.000000000 +0200
+++ new/aws-c-io-0.27.2/tests/tls_handler_test.c        2026-06-12 
23:21:33.000000000 +0200
@@ -1781,6 +1781,30 @@
     tls_client_channel_negotiation_no_verify_untrusted_root,
     s_tls_client_channel_negotiation_no_verify_untrusted_root_fn)
 
+AWS_STATIC_STRING_FROM_LITERAL(s_revoked_host_name, "revoked.badssl.com");
+
+#    ifdef _WIN32
+/* On Windows, connecting to a revoked cert should fail with default options 
(revocation check enabled) */
+static int s_tls_client_channel_negotiation_error_revoked_fn(struct 
aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+    return s_verify_negotiation_fails(allocator, s_revoked_host_name, 443, 
NULL);
+}
+
+AWS_TEST_CASE(tls_client_channel_negotiation_error_revoked, 
s_tls_client_channel_negotiation_error_revoked_fn)
+#    endif /* _WIN32 */
+
+static void s_disable_revocation_check(struct aws_tls_ctx_options *options) {
+    aws_tls_ctx_options_set_no_certificate_revocation(options, true);
+}
+
+/* On Windows, connecting to a revoked cert should succeed when revocation 
checking is disabled */
+static int s_tls_client_channel_negotiation_revoked_no_check_fn(struct 
aws_allocator *allocator, void *ctx) {
+    (void)ctx;
+    return s_verify_good_host(allocator, s_revoked_host_name, 443, 
&s_disable_revocation_check);
+}
+
+AWS_TEST_CASE(tls_client_channel_negotiation_revoked_no_check, 
s_tls_client_channel_negotiation_revoked_no_check_fn)
+
 static void s_lower_tls_version_to_tls10(struct aws_tls_ctx_options *options) {
     aws_tls_ctx_options_set_minimum_tls_version(options, AWS_IO_TLSv1);
 }

Reply via email to