Implement host override of CN checking in the WinHTTP backend (#824)

* Implement CN overrides via the Host: header in the WinHTTP backend.

* Repair lack of fallback CN verification on Windows.

* Set security settings even for non-HTTPS URIs in WinHTTP, in case we get upgraded to SSL/TLS later.

* Add test to make sure this doesn't explode.

* Repair CPPREST_EXCLUDE_WEBSOCKETS support.

* Move x509_cert_utilities.h out of public headers.

Author: BillyONeal

Release/src/http/client/http_client_asio.cpp

@@ -39,7 +39,7 @@
 
 #include "cpprest/base_uri.h"
 #include "cpprest/details/http_helpers.h"
-#include "cpprest/details/x509_cert_utilities.h"
+#include "../common/x509_cert_utilities.h"
 #include "http_client_impl.h"
 #include "pplx/threadpool.h"
 #include <memory>
@@ -468,7 +468,7 @@ class asio_context final : public request_context, public std::enable_shared_fro
         , m_needChunked(false)
         , m_timer(client->client_config().timeout<std::chrono::microseconds>())
         , m_connection(connection)
-#if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
+#ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE
         , m_openssl_failed(false)
 #endif
     {
@@ -1032,11 +1032,11 @@ class asio_context final : public request_context, public std::enable_shared_fro
         // finally by the root CA self signed certificate.
 
         const auto& host = utility::conversions::to_utf8string(m_http_client->base_uri().host());
-#if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
-        // On OS X, iOS, and Android, OpenSSL doesn't have access to where the OS
-        // stores keychains. If OpenSSL fails we will doing verification at the
-        // end using the whole certificate chain so wait until the 'leaf' cert.
-        // For now return true so OpenSSL continues down the certificate chain.
+#ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE
+        // Attempt to use platform certificate validation when it is available:
+        // If OpenSSL fails we will doing verification at the end using the whole certificate chain,
+        // so wait until the 'leaf' cert. For now return true so OpenSSL continues down the certificate
+        // chain.
         if (!preverified)
         {
             m_openssl_failed = true;
@@ -1757,7 +1757,7 @@ class asio_context final : public request_context, public std::enable_shared_fro
     boost::asio::streambuf m_body_buf;
     std::shared_ptr<asio_connection> m_connection;
 
-#if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
+#ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE
     bool m_openssl_failed;
 #endif
 };