| Age | Commit message (Collapse) | Author |
|---|
|
Follow-up to 5450428491
|
|
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
--ssl-revoke-best-effort to allow a "best effort" revocation check.
A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.
---
When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:
Unknown error (0x80092012) - The revocation function was unable
to check revocation for the certificate.
Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.
This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.
In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.
Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).
To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.
Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.
The test 2070 was added to verify this behavior, adapted from 310.
Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes https://github.com/curl/curl/pull/4981
|
|
- If an easy handle is owned by a multi different from the one specified
then return CURLM_BAD_EASY_HANDLE.
Prior to this change I assume user error could cause corruption.
Closes https://github.com/curl/curl/pull/5116
|
|
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters
Reviewed-by: Marc Hörsken
Closes https://github.com/curl/curl/pull/5088
|
|
Follow-up to 04c03416e68fd635a15
|
|
Makes curl_easy_getinfo() of "variable" numerical content instead return
the number set in the env variable `CURL_TIME`.
Makes curl_version() of "variable" textual content. This guarantees a
stable version string which can be tested against. Environment variable
`CURL_VERSION` defines the content.
Assisted-by: Mathias Gumz
|
|
This commit adds support to generate JSON via the writeout feature:
-w "%{json}"
It leverages the existing infrastructure as much as possible. Thus,
generating the JSON on STDERR is possible by:
-w "%{stderr}%{json}"
This implements a variant of
https://github.com/curl/curl/wiki/JSON#--write-out-json.
Closes #4870
|
|
|
|
The test uses SRP to "a server not supporting it" but modern stunnel
versions will silently accept it and remain happy. The test is therefore
faulty.
I haven't figured out how to make stunnel explicitly reject SRP-using
connects.
Reported-by: Marc Hörsken
Fixes #5105
Closes #5113
|
|
For some reason the torture builds have slowed down recently.
Reported-by: Daniel Stenberg
|
|
My working build cmdline:
$ cmake -DCMAKE_PREFIX_PATH=$HOME/build-wolfssl -DCMAKE_USE_WOLFSSL=ON .
Assisted-by: Brad King
Closes #5095
|
|
Trying to return early from the function if no new transfers were added
would break the "morep" argument and cause issues. This could lead to
zero content "transfers" (within quotes since they would never be
started) when parallel-max was reduced.
Reported-by: Gavin Wong
Analyzed-by: Jay Satiro
Fixes #4937
Closes #5112
|
|
Torture testing 2034 and 2037 found this.
Reported-by: Marc Hörsken
Fixes #5108
Closes #5109
|
|
Closes #5111
|
|
Follow-up from 083603c63a3
|
|
Follow up to c52b342
Closes #5106
|
|
Fixes test1452:41:1: error: missing </stdout> tag before </verify>
|
|
Also force the package index/cache to be updated before installing.
Closes #5103
|
|
Follow up to 4be2560
|
|
When libcurl retries a connection due to it being "seemingly dead" or by
REFUSED_STREAM, it will now only do it up five times before giving up,
to avoid never-ending loops.
Reported-by: Dima Tisnek
Bug: https://curl.haxx.se/mail/lib-2020-03/0044.html
Closes #5074
|
|
Closes #5081
|
|
|
|
Detected by Codacy
|
|
Reviewed by Daniel Stenberg
Reviewed by Marcel Raad
Closes #5078
|
|
Make sure each separate index in connn->tempaddr[] is used for a fixed
family (and only that family) during the connection process.
If family one takes a long time and family two fails immediately, the
previous logic could misbehave and retry the same family two address
repeatedly.
Reported-by: Paul Vixie
Reported-by: Jay Satiro
Fixes #5083
Fixes #4954
Closes #5089
|
|
|
|
|
|
Users of the SMB tests will have to install impacket manually.
Reasoning: our in-tree version of impacket was quite outdated
and only compatible with Python 2 which is already end-of-life.
Upgrading to Python 3 and a compatible impacket version would
require to import additional Python-only and CPython-extension
dependencies. This would have hindered portability enormously.
Closes #5094
|
|
- s/COFF/coff/
Some versions of windres do not recognize uppercase COFF as a valid
way to specify the COFF output format.
Reported-by: Steven Penny
Fixes https://github.com/curl/curl/issues/5099
Closes https://github.com/curl/curl/pull/5101
|
|
- Ignore CURLE_NOT_BUILT_IN errors returned by c-ares functions in
curl_easy_duphandle.
Prior to this change if c-ares was used as the resolver backend and
either it was too old or libcurl was built without IPv6 support then
some of our resolver functions could return CURLE_NOT_BUILT_IN to
curl_easy_duphandle causing it to fail.
Caused by c8f086b which shipped in 7.69.1.
Reported-by: Karl Chen
Fixes https://github.com/curl/curl/issues/5097
Closes https://github.com/curl/curl/pull/5100
|
|
- --url man page section
- libcurl-security.3 gets the full text
- CURLOPT_URL.3
Reported-by: Tim Sedlmeyer
|
|
When extracting a <section> <part> and there's no </part> before
</section>, this now outputs an error and returns a wrong string to
make users spot the mistake.
Ref: #5070
Closes #5071
|
|
This makes smbserver load on Python 3, but still not work completely.
|
|
Even though the existing code can be fixed to run on Python 3, the
tests will fail due to the Unicode transition the protocol is invalid.
Follow up to ee63837
Closes #5085
|
|
Closes #5087
|
|
Follow up to ee63837 and 8c7c4a6
Fixes #5077
|
|
bumped to 7.69.2
|
|
This allows these test files to pass xmllint.
|
|
In bmake, if the directory is changed (with cd or anything else), bmake
won't return to the "root directory" on the next command (in the same
Makefile rule). This commit runs the cd command in a subshell so it
would work in bmake.
Closes #5073
|
|
As all the -I uses in CFLAGS at that point are for system headers and
third party libraries this helps us remove/ignore warnings on those!
Closes #5060
|
|
If --enable-werror is used.
Follow-up to d5c0351055d5709da which added it too early in the configure
script before $compiler_num was set correctly and thus this option was
never used.
Reported-by: Stepan Efremov
Fixes #5067
Closes #5068
|
|
The CURL_CHECK_COMPILER_GNU_C function sets the number to MAJOR*100 +
MINOR and ignores the patch version, and since gcc version 7 it only
sets it to MAJOR*100.
Reported-by: Stepan Efremov
Ref: #5067
Closes #5069
|
|
|
|
|
|
Fixes #5070
Closes #5072
|
|
Follow up to 94ced8e
|
|
Closes #5065
|
|
Follow up to 9819984 and 3dce984
Reviewed-By: Daniel Stenberg
Closes #5064
|
|
|
|
This fix adds a defensive check for the case where the char *name in
struct libssh2_knownhost is NULL
Fixes #5041
Closes #5062
|
