curl/docs/libcurl/opts, branch gemini-meta cURL mirror with patches applied setopt: support certificate options in memory with struct curl_blob 2020-05-15T11:03:59+00:00 Gilles Vollant info@winimage.com 2020-05-15T08:47:46+00:00 cac5374298b3e79405bbdabe38941227c73a4c96 This change introduces a generic way to provide binary data in setopt options, called BLOBs. This change introduces these new setopts: CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB, CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB. Reviewed-by: Daniel Stenberg Closes #5357 
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN 2020-05-13T14:39:36+00:00 Daniel Stenberg daniel@haxx.se 2020-05-11T21:00:31+00:00 81a54b12c631e8126e3eb484c74040b991e78f0c ... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. Reported-by: Michael Kaufmann Fixes #5374 Closes #5376 
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl) 2020-05-08T13:55:04+00:00 Gilles Vollant info@winimage.com 2019-09-13T09:24:00+00:00 148534db57dda611cf8516e92e4d6e35fc1e5074 Closes #4346 
Closes #4346
doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3 2020-05-02T10:03:20+00:00 Emil Engler me@emilengler.com 2020-05-02T06:49:33+00:00 6540cbbc751efa010ef996a6f1726d2c4f1ed91d Closes #5320 
Closes #5320
GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT 2020-04-30T12:40:54+00:00 Emil Engler me@emilengler.com 2020-04-23T19:36:35+00:00 42d8d9a7e816f14226819cdc2440e11ef004230e Closes #5287 
Closes #5287
mqtt: add new experimental protocol 2020-04-14T11:03:40+00:00 Bjorn Stenberg bjorn@haxx.se 2020-04-14T09:19:12+00:00 2522903b792ac5a802f780df60dc4647c58e2477 Closes #5173 
Closes #5173
CURLOPT_WRITEFUNCTION.3: add inline example and new see-also 2020-04-06T22:07:49+00:00 Daniel Stenberg daniel@haxx.se 2020-04-06T16:14:10+00:00 946a71a14f8b397972bf07f446881c2faa25a926 Closes #5192 
Closes #5192
CURLINFO_CONDITION_UNMET: return true for 304 http status code 2020-04-05T09:13:49+00:00 Kwon-Young Choi kwon-young.choi@hotmail.fr 2020-04-04T15:27:18+00:00 54ecc11cc4c4cf4a6ed958fd2906f3a791d1c8d2 In libcurl, CURLINFO_CONDITION_UNMET is used to avoid writing to the output file if the server did not transfered a file based on time condition. In the same manner, getting a 304 HTTP response back from the server, for example after passing a custom If-Match-* header, also fulfill this condition. Fixes #5181 Closes #5183 
In libcurl, CURLINFO_CONDITION_UNMET is used to avoid writing to the
output file if the server did not transfered a file based on time
condition. In the same manner, getting a 304 HTTP response back from the
server, for example after passing a custom If-Match-* header, also
fulfill this condition.

Fixes #5181
Closes #5183
copyright: fix out-of-date copyright ranges and missing headers 2020-03-24T14:05:59+00:00 Daniel Stenberg daniel@haxx.se 2020-03-23T13:44:29+00:00 9a8b3b3e131359aea1cac650fb6ac331fbe2047c Reported by the new script 'scripts/copyright.pl'. The script has a regex whitelist for the files that don't need copyright headers. Removed three (mostly usesless) README files from docs/ Closes #5141 
Reported by the new script 'scripts/copyright.pl'. The script has a
regex whitelist for the files that don't need copyright headers.

Removed three (mostly usesless) README files from docs/

Closes #5141
schannel: add "best effort" revocation check option 2020-03-18T07:23:39+00:00 Johannes Schindelin johannes.schindelin@gmx.de 2020-02-26T10:24:26+00:00 54504284918a4ba19bc7b1efb486a64629d376aa - Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981 
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
  --ssl-revoke-best-effort to allow a "best effort" revocation check.

A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.

---

When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:

	Unknown error (0x80092012) - The revocation function was unable
	to check revocation for the certificate.

Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.

This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.

In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.

Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).

To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.

Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.

The test 2070 was added to verify this behavior, adapted from 310.

Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/4981