aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-08-17curl: allow "pkcs11:" prefix for client certificatesDavid Woodhouse
RFC7512 provides a standard method to reference certificates in PKCS#11 tokens, by means of a URI starting 'pkcs11:'. We're working on fixing various applications so that whenever they would have been able to use certificates from a file, users can simply insert a PKCS#11 URI instead and expect it to work. This expectation is now a part of the Fedora packaging guidelines, for example. This doesn't work with cURL because of the way that the colon is used to separate the certificate argument from the passphrase. So instead of curl -E 'pkcs11:manufacturer=piv_II;id=%01' … I instead need to invoke cURL with the colon escaped, like this: curl -E 'pkcs11\:manufacturer=piv_II;id=%01' … This is suboptimal because we want *consistency* — the URI should be usable in place of a filename anywhere, without having strange differences for different applications. This patch therefore disables the processing in parse_cert_parameter() when the string starts with 'pkcs11:'. It means you can't pass a passphrase with an unescaped PKCS#11 URI, but there's no need to do so because RFC7512 allows a PIN to be given as a 'pin-value' attribute in the URI itself. Also, if users are already using RFC7512 URIs with the colon escaped as in the above example — even providing a passphrase for cURL to handling instead of using a pin-value attribute, that will continue to work because their string will start 'pkcs11\:' and won't match the check. What *does* break with this patch is the extremely unlikely case that a user has a file which is in the local directory and literally named just "pkcs11", and they have a passphrase on it. If that ever happened, the user would need to refer to it as './pkcs11:<passphrase>' instead.
2016-08-17nss: make the global variables staticDaniel Stenberg
2016-08-16openssl: use regular malloc instead of OPENSSL_mallocDaniel Stenberg
This allows for better memmory debugging and torture tests.
2016-08-16proxy: fix tests as follow-up to 93b0d907d5Daniel Stenberg
This fixes tests that were added after 113f04e664b as the tests would fail otherwise. We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix regressions with old and stupid proxies, but we could possibly switch to using it only for CONNECT or only for NTLM in a future if we want to gradually reduce it. Fixes #954 Reported-by: János Fekete
2016-08-16Revert "Proxy-Connection: stop sending this header by default"Daniel Stenberg
This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
2016-08-15CURLOPT_PROXY.3: unsupported schemes cause errors nowDaniel Stenberg
Follow-up to a96319ebb9 (document the new behavior)
2016-08-15tests/README: mention nghttpx for HTTP/2 testsDaniel Stenberg
2016-08-15README.md: add our CII Best Practices badgeDaniel Stenberg
2016-08-15proxy: polished the error message for unsupported schemesDaniel Stenberg
Follow up to a96319ebb93
2016-08-15test219: verify unsupported scheme for proxies get rejectedDaniel Stenberg
2016-08-15proxy: reject attempts to use unsupported proxy schemesDaniel Stenberg
I discovered some people have been using "https://example.com" style strings as proxy and it "works" (curl doesn't complain) because curl ignores unknown schemes and then assumes plain HTTP instead. I think this misleads users into believing curl uses HTTPS to proxies when it doesn't. Now curl rejects proxy strings using unsupported schemes instead of just ignoring and defaulting to HTTP.
2016-08-15RELEASE-NOTES: synced with b7ee5316c2fd5bDaniel Stenberg
2016-08-14socks.c: Correctly calculate position of port in response packetMarc Hoersken
Third commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14socks.c: Do not modify and invalidate calculated response lengthMarc Hoersken
Second commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14socks.c: Move error output after reading the whole response packetMarc Hoersken
First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-13MANUAL: Remove invalid link to LDAP documentation (#962)Ronnie Mose
The server developer.netscape.com does not resolve into any ip address and can be removed.
2016-08-13openssl: accept subjectAltName iPAddress if no dNSName matchJay Satiro
Undo change introduced in d4643d6 which caused iPAddress match to be ignored if dNSName was present but did not match. Also, if iPAddress is present but does not match, and dNSName is not present, fail as no-match. Prior to this change in such a case the CN would be checked for a match. Bug: https://github.com/curl/curl/issues/959 Reported-by: wmsch@users.noreply.github.com
2016-08-12configure.ac: add zlib search with pkg-configDambaev Alexander
Closes #956
2016-08-11rtsp: ignore whitespace in session idDaniel Stenberg
Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at whitespace as well. Help-by: Erik Janssen
2016-08-11HTTP: retry failed HEAD requests tooDaniel Stenberg
Mark's new document about HTTP Retries (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I spotted that we don't retry failed HEAD requests which seems totally inconsistent and I can't see any reason for that separate treatment. So, no separate treatment for HEAD starting now. A HTTP request sent over a reused connection that gets cut off before a single byte is received will be retried on a fresh connection. Made-aware-by: Mark Nottingham
2016-08-11mk-ca-bundle.1: document -m, added in 1.26Daniel Stenberg
2016-08-10RELEASE-NOTES: synced with e577c43bb5Daniel Stenberg
2016-08-10rtsp: accept any RTSP session idErik Janssen
Makes libcurl work in communication with gstreamer-based RTSP servers. The original code validates the session id to be in accordance with the RFC. I think it is better not to do that: - For curl the actual content is a don't care. - The clarity of the RFC is debatable, is $ allowed or only as \$, that is imho not clear - Gstreamer seems to url-encode the session id but % is not allowed by the RFC - less code With this patch curl will correctly handle real-life lines like: Session: biTN4Kc.8%2B1w-AF.; timeout=60 Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
2016-08-09symbols-in-versions: add CURL_STRICTERDaniel Stenberg
Added in 5fce88aa8c12564
2016-08-09winbuild: Allow changing C compiler via environment variable CC (#952)Simon Warta
This makes it possible to use specific compilers or a cache. Sample use for clcache: set CC=clcache.bat nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
2016-08-09LICENSE-MIXING.md: switched to markdownDaniel Stenberg
2016-08-09docs-make: have markdown files use .mdDaniel Stenberg
2016-08-09curl.h: make CURL_NO_OLDIES define CURL_STRICTERDaniel Stenberg
2016-08-09HISTORY.md: use markdown extensionDaniel Stenberg
2016-08-09SSLCERTS.md: renamed to markdown extensionDaniel Stenberg
2016-08-09INTERNALS.md: use markdown extension for markdown contentDaniel Stenberg
2016-08-09CONTRIBUTE.md: markdown extensionDaniel Stenberg
2016-08-09CONTRIBUTE: changed to markdownDaniel Stenberg
2016-08-09CONTRIBUTE: refreshedDaniel Stenberg
2016-08-09TODO: added an SSH section and two SFTP things to doDaniel Stenberg
2016-08-09TODO: remove the 1.22 duplicated itemDaniel Stenberg
2016-08-09TODO: move "CURLOPT_MAIL_CLIENT" to SMTP sectionDaniel Stenberg
2016-08-09TODO: API for URL parsing/splittingDaniel Stenberg
2016-08-09TODO: move QUIC to the HTTP sectionDaniel Stenberg
2016-08-09winbuild: Free name $(CC) in Makefile (#950)Simon Warta
In the old line number 290, CC and CURL_CC had the same value. After that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?). This gets rid of the CC variable entirely. It is a first step to make it possible to manualyl set a CC variable in order to be able to change the compiler.
2016-08-08TODO: Use huge HTTP/2 windowsDaniel Stenberg
2016-08-08winbuild: Avoid setting redundant CFLAGS to compile commands (#949)Simon Warta
$(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this, all arguments in CURL_CFLAGS have been added twice.
2016-08-08cmake: Enable win32 threaded resolver by defaultJay Satiro
- Turn on USE_THREADS_WIN32 in Windows if ares isn't on This change is similar to what we already do in the autotools build.
2016-08-08cmake: Enable win32 large file support by defaultJay Satiro
All compilers used by cmake in Windows should support large files. - Add test SIZEOF_OFF_T - Remove outdated test SIZEOF_CURL_OFF_T - Turn on USE_WIN32_LARGE_FILES in Windows - Check for 'Largefile' during the features output
2016-08-07TODO: added several ideas, removed SPDYDaniel Stenberg
2016-08-05http2: always wait for readable socketDaniel Stenberg
Since the server can at any time send a HTTP/2 frame to us, we need to wait for the socket to be readable during all transfers so that we can act on incoming frames even when uploading etc. Reminded-by: Tatsuhiro Tsujikawa
2016-08-05RELEASE-NOTES: synced with 7b4bf37a44791Daniel Stenberg
2016-08-05mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is definedThomas Glanzmann
In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal to 0. This patch also adds a comment how mbedtls must be compiled in order to make debugging work, and explains the possible debug levels.
2016-08-05CURLOPT_TCP_NODELAY: now enabled by defaultDaniel Stenberg
After a few wasted hours hunting down the reason for slowness during a TLS handshake that turned out to be because of TCP_NODELAY not being set, I think we have enough motivation to toggle the default for this option. We now enable TCP_NODELAY by default and allow applications to switch it off. This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be used to disable it. Thanks-to: Tim Rühsen Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
2016-08-04TFTP: Fix upload problem with piped inputSerj Kalichev
When input stream for curl is stdin and input stream is not a file but generated by a script then curl can truncate data transfer to arbitrary size since a partial packet is treated as end of transfer by TFTP. Fixes #857