aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOkhin Vasilij <OkhinVI@gmail.com>2016-11-21 17:01:25 +0700
committerDaniel Stenberg <daniel@haxx.se>2016-11-24 23:41:45 +0100
commitc6da05a5ec0c5250df077e42647c498f8ae38e8d (patch)
tree9e14b903397afb8f2bc8d0385aa51ef90e8cb84f
parent49765cd75cdd40ceecb125ac893051be90977018 (diff)
HTTPS-proxy: fixed mbedtls and polishing
-rw-r--r--docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_CAINFO.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_CAPATH.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.34
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.34
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.32
-rw-r--r--docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.32
-rw-r--r--docs/libcurl/opts/CURLOPT_SOCKS_PROXY.32
-rw-r--r--docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.32
-rw-r--r--docs/libcurl/symbols-in-versions40
-rw-r--r--lib/curl_sasl.c14
-rw-r--r--lib/http_proxy.c2
-rw-r--r--lib/multi.c2
-rw-r--r--lib/url.c6
-rw-r--r--lib/vtls/darwinssl.c77
-rw-r--r--lib/vtls/gskit.c2
-rw-r--r--lib/vtls/gtls.c4
-rw-r--r--lib/vtls/mbedtls.c62
-rw-r--r--lib/vtls/openssl.c8
-rw-r--r--lib/vtls/schannel.c35
30 files changed, 159 insertions, 135 deletions
diff --git a/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3 b/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3
index 8f09df5c4..34892f54f 100644
--- a/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3
+++ b/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_getinfo options"
+.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_getinfo options"
.SH NAME
CURLINFO_PROXY_SSL_VERIFYRESULT \- get the result of the proxy certification verification
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3 b/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3
index 31fc562e8..d240b37fd 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CAINFO \- path to proxy Certificate Authority (CA) bundle
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3 b/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3
index 7c984538a..d1dfb06a0 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CAPATH \- specify directory holding proxy CA certificates
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3
index 956cc5691..1d0dc6397 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CRLFILE \- specify a proxy Certificate Revocation List file
.SH SYNOPSIS
@@ -52,8 +52,6 @@ NULL
All TLS-based protocols
.SH EXAMPLE
TODO
-.SH AVAILABILITY
-Added in 7.51.1
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3 b/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3
index 5f328020e..1abd329d3 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_KEYPASSWD \- set passphrase to proxy private key
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3
index 8ce38592d..d69f6e632 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLCERT \- set SSL proxy client certificate
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3
index 297cc0c30..326330c61 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLCERTTYPE \- specify type of the proxy client SSL certificate
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3
index 6301ae8f4..e5c7369ae 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLKEY \- specify private keyfile for TLS and SSL proxy client cert
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3
index 8c81b49f0..97454f925 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLKEYTYPE \- set type of the proxy private key file
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3
index ef65b169c..0e91be932 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLVERSION \- set proxy preferred TLS/SSL version
.SH SYNOPSIS
@@ -50,7 +50,7 @@ TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
-TLSv1.3 (Added in 7.51.1)
+TLSv1.3 (Added in 7.52.0)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3
index a7cbc6af7..f872952ad 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_CIPHER_LIST \- specify ciphers to use for proxy TLS
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
index 6b4cbaeb4..45402dfab 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_OPTIONS \- set proxy SSL behavior options
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3
index 9a0d69ab6..e72027a8b 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_VERIFYHOST \- verify the proxy certificate's name against host
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3
index 294c77b37..0eb902bb1 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_VERIFYPEER \- verify the proxy peer's SSL certificate
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3
index ed2544bd1..1d824fed0 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_PASSWORD \- password to use for proxy TLS authentication
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3
index f30256ab7..228a42e46 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_TYPE \- set proxy TLS authentication methods
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3
index 53c8378a4..e8d4e4d1e 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_USERNAME \- user name to use for proxy TLS authentication
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3 b/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3
index bddb40a18..aad3d40a5 100644
--- a/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3
+++ b/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXY \- set socks proxy to use
.SH SYNOPSIS
diff --git a/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3 b/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3
index 789bfb877..210024067 100644
--- a/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3
+++ b/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3
@@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
-.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
+.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXYTYPE \- socks proxy protocol type
.SH SYNOPSIS
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index fb3330f14..1d58d51c1 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -240,7 +240,7 @@ CURLINFO_PRIMARY_IP 7.19.0
CURLINFO_PRIMARY_PORT 7.21.0
CURLINFO_PRIVATE 7.10.3
CURLINFO_PROXYAUTH_AVAIL 7.10.8
-CURLINFO_PROXY_SSL_VERIFYRESULT 7.51.1
+CURLINFO_PROXY_SSL_VERIFYRESULT 7.52.0
CURLINFO_REDIRECT_COUNT 7.9.7
CURLINFO_REDIRECT_TIME 7.9.7
CURLINFO_REDIRECT_URL 7.18.2
@@ -469,23 +469,23 @@ CURLOPT_PROXYPORT 7.1
CURLOPT_PROXYTYPE 7.10
CURLOPT_PROXYUSERNAME 7.19.1
CURLOPT_PROXYUSERPWD 7.1
-CURLOPT_PROXY_CAINFO 7.51.1
-CURLOPT_PROXY_CAPATH 7.51.1
-CURLOPT_PROXY_CRLFILE 7.51.1
-CURLOPT_PROXY_KEYPASSWD 7.51.1
+CURLOPT_PROXY_CAINFO 7.52.0
+CURLOPT_PROXY_CAPATH 7.52.0
+CURLOPT_PROXY_CRLFILE 7.52.0
+CURLOPT_PROXY_KEYPASSWD 7.52.0
CURLOPT_PROXY_SERVICE_NAME 7.43.0
-CURLOPT_PROXY_SSLCERT 7.51.1
-CURLOPT_PROXY_SSLCERTTYPE 7.51.1
-CURLOPT_PROXY_SSLKEY 7.51.1
-CURLOPT_PROXY_SSLKEYTYPE 7.51.1
-CURLOPT_PROXY_SSLVERSION 7.51.1
-CURLOPT_PROXY_SSL_CIPHER_LIST 7.51.1
-CURLOPT_PROXY_SSL_OPTIONS 7.51.1
-CURLOPT_PROXY_SSL_VERIFYHOST 7.51.1
-CURLOPT_PROXY_SSL_VERIFYPEER 7.51.1
-CURLOPT_PROXY_TLSAUTH_PASSWORD 7.51.1
-CURLOPT_PROXY_TLSAUTH_TYPE 7.51.1
-CURLOPT_PROXY_TLSAUTH_USERNAME 7.51.1
+CURLOPT_PROXY_SSLCERT 7.52.0
+CURLOPT_PROXY_SSLCERTTYPE 7.52.0
+CURLOPT_PROXY_SSLKEY 7.52.0
+CURLOPT_PROXY_SSLKEYTYPE 7.52.0
+CURLOPT_PROXY_SSLVERSION 7.52.0
+CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0
+CURLOPT_PROXY_SSL_OPTIONS 7.52.0
+CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
+CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
+CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
+CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
+CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
CURLOPT_PROXY_TRANSFER_MODE 7.18.0
CURLOPT_PUT 7.1
CURLOPT_QUOTE 7.1
@@ -515,8 +515,8 @@ CURLOPT_SOCKOPTDATA 7.16.0
CURLOPT_SOCKOPTFUNCTION 7.16.0
CURLOPT_SOCKS5_GSSAPI_NEC 7.19.4
CURLOPT_SOCKS5_GSSAPI_SERVICE 7.19.4 7.49.0
-CURLOPT_SOCKS_PROXY 7.51.1
-CURLOPT_SOCKS_PROXYTYPE 7.51.1
+CURLOPT_SOCKS_PROXY 7.52.0
+CURLOPT_SOCKS_PROXYTYPE 7.52.0
CURLOPT_SOURCE_HOST 7.12.1 - 7.15.5
CURLOPT_SOURCE_PATH 7.12.1 - 7.15.5
CURLOPT_SOURCE_PORT 7.12.1 - 7.15.5
@@ -630,7 +630,7 @@ CURLPROTO_TELNET 7.19.4
CURLPROTO_TFTP 7.19.4
CURLPROXY_HTTP 7.10
CURLPROXY_HTTP_1_0 7.19.4
-CURLPROXY_HTTPS 7.51.1
+CURLPROXY_HTTPS 7.52.0
CURLPROXY_SOCKS4 7.10
CURLPROXY_SOCKS4A 7.18.0
CURLPROXY_SOCKS5 7.10
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 6b8696216..19efbf583 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -262,6 +262,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
size_t len = 0;
saslstate state1 = SASL_STOP;
saslstate state2 = SASL_FINAL;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#if defined(USE_KERBEROS5)
const char* service = data->set.str[STRING_SERVICE_NAME] ?
data->set.str[STRING_SERVICE_NAME] :
@@ -341,8 +344,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
if(force_ir || data->set.sasl_ir)
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
- conn->host.name,
- conn->port,
+ hostname,
+ port,
conn->oauth_bearer,
&resp, &len);
}
@@ -408,6 +411,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
struct Curl_easy *data = conn->data;
saslstate newstate = SASL_FINAL;
char *resp = NULL;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#if !defined(CURL_DISABLE_CRYPTO_AUTH)
char *serverdata;
char *chlg = NULL;
@@ -542,8 +548,8 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
/* Create the authorisation message */
if(sasl->authused == SASL_MECH_OAUTHBEARER) {
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
- conn->host.name,
- conn->port,
+ hostname,
+ port,
conn->oauth_bearer,
&resp, &len);
diff --git a/lib/http_proxy.c b/lib/http_proxy.c
index cd4cac06d..bbe2e8eb1 100644
--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
@@ -63,6 +63,8 @@ static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex)
}
return result;
#else
+ (void) conn;
+ (void) sockindex;
return CURLE_NOT_BUILT_IN;
#endif
}
diff --git a/lib/multi.c b/lib/multi.c
index 07a903da5..950b600cb 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -813,8 +813,10 @@ static int waitconnect_getsock(struct connectdata *conn,
if(!numsocks)
return GETSOCK_BLANK;
+#ifdef USE_SSL
if(CONNECT_FIRSTSOCKET_PROXY_SSL())
return Curl_ssl_getsock(conn, sock, numsocks);
+#endif
for(i=0; i<2; i++) {
if(conn->tempsock[i] != CURL_SOCKET_BAD) {
diff --git a/lib/url.c b/lib/url.c
index 15ba92cae..ad5921353 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3786,10 +3786,6 @@ ConnectionExists(struct Curl_easy *data,
CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
- /* if(!conn->bits.proxy || sockindex) */
- /* this magic only works for the primary socket as the secondary is used
- for FTP only and it has FTP specific magic in ftp.c */
- /* return CURLE_OK; */
if(conn->bits.socksproxy) {
#ifndef CURL_DISABLE_PROXY
@@ -3823,6 +3819,8 @@ CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex)
result = CURLE_COULDNT_CONNECT;
} /* switch proxytype */
conn->bits.socksproxy_connecting = FALSE;
+#else
+ (void)sockindex;
#endif /* CURL_DISABLE_PROXY */
}
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index e4b4a6b48..705bff912 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1038,6 +1038,12 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+ char * const ssl_cert = SSL_SET_OPTION(cert);
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
@@ -1233,34 +1239,33 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
}
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
- if(data->set.str[STRING_KEY_ORIG]) {
+ if(SSL_SET_OPTION(key)) {
infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure "
"Transport. The private key must be in the Keychain.\n");
}
- if(data->set.str[STRING_CERT_ORIG]) {
+ if(ssl_cert) {
SecIdentityRef cert_and_key = NULL;
- bool is_cert_file = is_file(data->set.str[STRING_CERT_ORIG]);
+ bool is_cert_file = is_file(ssl_cert);
/* User wants to authenticate with a client cert. Look for it:
If we detect that this is a file on disk, then let's load it.
Otherwise, assume that the user wants to use an identity loaded
from the Keychain. */
if(is_cert_file) {
- if(!data->set.ssl.cert_type)
+ if(!SSL_SET_OPTION(cert_type))
infof(data, "WARNING: SSL: Certificate type not set, assuming "
- "PKCS#12 format.\n");
- else if(strncmp(data->set.ssl.cert_type, "P12",
- strlen(data->set.ssl.cert_type)))
+ "PKCS#12 format.\n");
+ else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
+ strlen(SSL_SET_OPTION(cert_type))) != 0)
infof(data, "WARNING: SSL: The Security framework only supports "
- "loading identities that are in PKCS#12 format.\n");
- err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT_ORIG],
- data->set.ssl.key_passwd,
- &cert_and_key);
+ "loading identities that are in PKCS#12 format.\n");
+
+ err = CopyIdentityFromPKCS12File(ssl_cert,
+ SSL_SET_OPTION(key_passwd), &cert_and_key);
}
else
- err = CopyIdentityWithLabel(data->set.str[STRING_CERT_ORIG],
- &cert_and_key);
+ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
if(err == noErr) {
SecCertificateRef cert = NULL;
@@ -1301,24 +1306,24 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
switch(err) {
case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */
failf(data, "SSL: Incorrect password for the certificate \"%s\" "
- "and its private key.", data->set.str[STRING_CERT_ORIG]);
+ "and its private key.", ssl_cert);
break;
case -26275: /* errSecDecode */ case -25257: /* errSecUnknownFormat */
failf(data, "SSL: Couldn't make sense of the data in the "
- "certificate \"%s\" and its private key.",
- data->set.str[STRING_CERT_ORIG]);
+ "certificate \"%s\" and its private key.",
+ ssl_cert);
break;
case -25260: /* errSecPassphraseRequired */
failf(data, "SSL The certificate \"%s\" requires a password.",
- data->set.str[STRING_CERT_ORIG]);
+ ssl_cert);
break;
case errSecItemNotFound:
failf(data, "SSL: Can't find the certificate \"%s\" and its private "
- "key in the Keychain.", data->set.str[STRING_CERT_ORIG]);
+ "key in the Keychain.", ssl_cert);
break;
default:
failf(data, "SSL: Can't load the certificate \"%s\" and its private "
- "key: OSStatus %d", data->set.str[STRING_CERT_ORIG], err);
+ "key: OSStatus %d", ssl_cert, err);
break;
}
return CURLE_SSL_CERTPROBLEM;
@@ -1350,8 +1355,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
#else
if(SSLSetSessionOption != NULL) {
#endif /* CURL_BUILD_MAC */
- bool break_on_auth = !conn->ssl_config.verifypeer ||
- data->set.str[STRING_SSL_CAFILE_ORIG];
+ bool break_on_auth = !conn->ssl_config.verifypeer || ssl_cafile;
err = SSLSetSessionOption(connssl->ssl_ctx,
kSSLSessionOptionBreakOnServerAuth,
break_on_auth);
@@ -1379,15 +1383,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
}
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
- bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE_ORIG]);
+ if(ssl_cafile) {
+ bool is_cert_file = is_file(ssl_cafile);
if(!is_cert_file) {
- failf(data, "SSL: can't load CA certificate file %s",
- data->set.str[STRING_SSL_CAFILE_ORIG]);
+ failf(data, "SSL: can't load CA certificate file %s", ssl_cafile);
return CURLE_SSL_CACERT_BADFILE;
}
- if(!data->set.ssl.primary.verifypeer) {
+ if(!verifypeer) {
failf(data, "SSL: CA certificate set, but certificate verification "
"is disabled");
return CURLE_SSL_CONNECT_ERROR;
@@ -1398,17 +1401,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
* Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */
if(conn->ssl_config.verifyhost) {
- err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
- strlen(conn->host.name));
+ err = SSLSetPeerDomainName(connssl->ssl_ctx, hostname,
+ strlen(hostname));
if(err != noErr) {
infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
err);
}
- if((Curl_inet_pton(AF_INET, conn->host.name, &addr))
+ if((Curl_inet_pton(AF_INET, hostname, &addr))
#ifdef ENABLE_IPV6
- || (Curl_inet_pton(AF_INET6, conn->host.name, &addr))
+ || (Curl_inet_pton(AF_INET6, hostname, &addr))
#endif
) {
infof(data, "WARNING: using IP address, SNI is being disabled by "
@@ -1558,10 +1561,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
else {
CURLcode result;
ssl_sessionid =
- aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE_ORIG],
- data->set.ssl.primary.verifypeer,
- data->set.ssl.primary.verifyhost,
- conn->host.name, conn->remote_port);
+ aprintf("%s:%d:%d:%s:%hu", ssl_cafile,
+ verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port);
ssl_sessionid_len = strlen(ssl_sessionid);
err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
@@ -1898,6 +1899,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
OSStatus err;
SSLCipherSuite cipher;
SSLProtocol protocol = 0;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
@@ -1916,8 +1919,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
/* The below is errSSLServerAuthCompleted; it's not defined in
Leopard's headers */
case -9841:
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
- int res = verify_cert(data->set.str[STRING_SSL_CAFILE_ORIG], data,
+ if(SSL_CONN_CONFIG(CAfile)) {
+ int res = verify_cert(SSL_CONN_CONFIG(CAfile), data,
connssl->ssl_ctx);
if(res != CURLE_OK)
return res;
@@ -1986,7 +1989,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
return CURLE_SSL_CONNECT_ERROR;
default:
failf(data, "Unknown SSL protocol error in connection to %s:%d",
- conn->host.name, err);
+ hostname, err);
return CURLE_SSL_CONNECT_ERROR;
}
}
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index a91d09cb7..6cac9573c 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -833,7 +833,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
}
/* Determine which SSL/TLS version should be enabled. */
- sni = conn->host.name;
+ sni = hostname;
switch (ssl_version) {
case CURL_SSLVERSION_SSLv2:
protoflags = CURL_GSKPROTO_SSLV2_MASK;
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 4ef06ee5d..4c9d9fada 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -502,8 +502,8 @@ gtls_connect_step1(struct connectdata *conn,
#ifdef CURL_CA_FALLBACK
/* use system ca certificate store as fallback */
- if(data->set.ssl.verifypeer &&
- !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+ if(SSL_CONN_CONFIG(verifypeer) &&
+ !(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath))) {
gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
}
#endif
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 8fa126a75..c84e597a3 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -163,13 +163,21 @@ mbed_connect_step1(struct connectdata *conn,
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
+ const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+ const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+ char * const ssl_cert = SSL_SET_OPTION(cert);
+ const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
+ const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
int ret = -1;
char errorbuf[128];
errorbuf[0]=0;
/* mbedTLS only supports SSLv3 and TLSv1 */
- if(data->set.ssl.primary.version == CURL_SSLVERSION_SSLv2) {
+ if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
failf(data, "mbedTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
@@ -205,34 +213,32 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the trusted CA */
mbedtls_x509_crt_init(&connssl->cacert);
- if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
- ret = mbedtls_x509_crt_parse_file(&connssl->cacert,
- data->set.str[STRING_SSL_CAFILE_ORIG]);
+ if(ssl_cafile) {
+ ret = mbedtls_x509_crt_parse_file(&connssl->cacert, ssl_cafile);
if(ret<0) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_SSL_CAFILE_ORIG], -ret, errorbuf);
+ ssl_cafile, -ret, errorbuf);
- if(data->set.ssl.primary.verifypeer)
+ if(verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
- if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
- ret = mbedtls_x509_crt_parse_path(&connssl->cacert,
- data->set.str[STRING_SSL_CAPATH_ORIG]);
+ if(ssl_capath) {
+ ret = mbedtls_x509_crt_parse_path(&connssl->cacert, ssl_capath);
if(ret<0) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_SSL_CAPATH_ORIG], -ret, errorbuf);
+ ssl_capath, -ret, errorbuf);
- if(data->set.ssl.primary.verifypeer)
+ if(verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
@@ -240,16 +246,15 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the client certificate */
mbedtls_x509_crt_init(&connssl->clicert);
- if(data->set.str[STRING_CERT_ORIG]) {
- ret = mbedtls_x509_crt_parse_file(&connssl->clicert,
- data->set.str[STRING_CERT_ORIG]);
+ if(ssl_cert) {
+ ret = mbedtls_x509_crt_parse_file(&connssl->clicert, ssl_cert);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_CERT_ORIG], -ret, errorbuf);
+ ssl_cert, -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
@@ -258,10 +263,9 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the client private key */
mbedtls_pk_init(&connssl->pk);
- if(data->set.str[STRING_KEY_ORIG]) {
- ret = mbedtls_pk_parse_keyfile(&connssl->pk,
- data->set.str[STRING_KEY_ORIG],
- data->set.str[STRING_KEY_ORIG]);
+ if(SSL_SET_OPTION(key)) {
+ ret = mbedtls_pk_parse_keyfile(&connssl->pk, SSL_SET_OPTION(key),
+ SSL_SET_OPTION(key_passwd));
if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
@@ -270,7 +274,7 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_KEY_ORIG], -ret, errorbuf);
+ SSL_SET_OPTION(key), -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
@@ -279,23 +283,21 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the CRL */
mbedtls_x509_crl_init(&connssl->crl);
- if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
- ret = mbedtls_x509_crl_parse_file(&connssl->crl,
- data->set.str[STRING_SSL_CRLFILE_ORIG]);
+ if(ssl_crlfile) {
+ ret = mbedtls_x509_crl_parse_file(&connssl->crl, ssl_crlfile);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
- data->set.str[STRING_SSL_CRLFILE_ORIG], -ret, errorbuf);
+ ssl_crlfile, -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
- infof(data, "mbedTLS: Connecting to %s:%d\n",
- conn->host.name, conn->remote_port);
+ infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port);
mbedtls_ssl_config_init(&connssl->config);
@@ -317,7 +319,7 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_ssl_conf_cert_profile(&connssl->config,
&mbedtls_x509_crt_profile_fr);
- switch(data->set.ssl.primary.version) {
+ switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
@@ -393,11 +395,11 @@ mbed_connect_step1(struct connectdata *conn,
&connssl->cacert,
&connssl->crl);
- if(data->set.str[STRING_KEY_ORIG]) {
+ if(SSL_SET_OPTION(key)) {
mbedtls_ssl_conf_own_cert(&connssl->config,
&connssl->clicert, &connssl->pk);
}
- if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
+ if(mbedtls_ssl_set_hostname(&connssl->ssl, hostname)) {
/* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
the name to set in the SNI extension. So even if curl connects to a
host specified as an IP address, this function must be used. */
@@ -487,7 +489,7 @@ mbed_connect_step2(struct connectdata *conn,
ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl);
- if(ret && data->set.ssl.primary.verifypeer) {
+ if(ret && SSL_CONN_CONFIG(verifypeer)) {
if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED");
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index b8bc6c117..465d1bef6 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2074,7 +2074,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none");
}
#ifdef CURL_CA_FALLBACK
- else if(data->set.ssl.verifypeer) {
+ else if(verifypeer) {
/* verfying the peer without any CA certificates won't
work so use openssl's built in default as fallback */
SSL_CTX_set_default_verify_paths(connssl->ctx);
@@ -2108,7 +2108,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
*/
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
- if(data->set.ssl.verifypeer) {
+ if(verifypeer) {
X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
X509_V_FLAG_TRUSTED_FIRST);
}
@@ -2204,6 +2204,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ long * const certverifyresult = SSL_IS_PROXY() ?
+ &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
|| ssl_connect_2_writing == connssl->connecting_state);
@@ -2253,7 +2255,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
lerr = SSL_get_verify_result(connssl->handle);
if(lerr != X509_V_OK) {
- data->set.ssl.certverifyresult = lerr;
+ *certverifyresult = lerr;
snprintf(error_buffer, sizeof(error_buffer),
"SSL certificate problem: %s",
X509_verify_cert_error_string(lerr));
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 7b20c2656..25d44382c 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -123,9 +123,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
#endif
TCHAR *host_name;
CURLcode result;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
#ifdef HAS_ALPN
/* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
@@ -259,9 +261,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
}
/* Warn if SNI is disabled due to use of an IP address */
- if(Curl_inet_pton(AF_INET, conn->host.name, &addr)
+ if(Curl_inet_pton(AF_INET, hostname, &addr)
#ifdef ENABLE_IPV6
- || Curl_inet_pton(AF_INET6, conn->host.name, &addr6)
+ || Curl_inet_pton(AF_INET6, hostname, &addr6)
#endif
) {
infof(data, "schannel: using IP address, SNI is not supported by OS.\n");
@@ -339,7 +341,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
}
memset(connssl->ctxt, 0, sizeof(struct curl_schannel_ctxt));
- host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
+ host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
@@ -412,11 +414,13 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
TCHAR *host_name;
CURLcode result;
bool doread;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
if(!connssl->cred || !connssl->ctxt)
return CURLE_SSL_CONNECT_ERROR;
@@ -512,7 +516,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
memcpy(inbuf[0].pvBuffer, connssl->encdata_buffer,
connssl->encdata_offset);
- host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
+ host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
@@ -644,6 +648,8 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECURITY_STATUS sspi_status = SEC_E_OK;
CERT_CONTEXT *ccert_context = NULL;
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
#ifdef HAS_ALPN
SecPkgContext_ApplicationProtocol alpn_result;
#endif
@@ -651,7 +657,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 3/3)\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
if(!connssl->cred)
return CURLE_SSL_CONNECT_ERROR;
@@ -1384,9 +1390,11 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
*/
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+ conn->host.name;
infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu\n",
- conn->host.name, conn->remote_port);
+ hostname, conn->remote_port);
if(connssl->cred && connssl->ctxt) {
SecBufferDesc BuffDesc;
@@ -1408,7 +1416,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
failf(data, "schannel: ApplyControlToken failure: %s",
Curl_sspi_strerror(conn, sspi_status));
- host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
+ host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
@@ -1533,6 +1541,9 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
const CERT_CHAIN_CONTEXT *pChainContext = NULL;
+ const char * const conn_hostname = SSL_IS_PROXY() ?
+ conn->http_proxy.host.name :
+ conn->host.name;
status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
@@ -1597,7 +1608,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
DWORD len;
cert_hostname.const_tchar_ptr = cert_hostname_buff;
- hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn->host.name);
+ hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn_hostname);
/* TODO: Fix this for certificates with multiple alternative names.
Right now we're only asking for the first preferred alternative name.
@@ -1615,7 +1626,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
128);
if(len > 0 && *cert_hostname.tchar_ptr == '*') {
/* this is a wildcard cert. try matching the last len - 1 chars */
- int hostname_len = strlen(conn->host.name);
+ int hostname_len = strlen(conn_hostname);
cert_hostname.tchar_ptr++;
if(_tcsicmp(cert_hostname.const_tchar_ptr,
hostname.const_tchar_ptr + hostname_len - len + 2) != 0)
@@ -1630,7 +1641,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
_cert_hostname = Curl_convert_tchar_to_UTF8(cert_hostname.tchar_ptr);
failf(data, "schannel: CertGetNameString() certificate hostname "
"(%s) did not match connection (%s)",
- _cert_hostname, conn->host.name);
+ _cert_hostname, conn_hostname);
Curl_unicodefree(_cert_hostname);
}
Curl_unicodefree(hostname.tchar_ptr);