aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-18tests: Add a test for pinnedpubkey fail even when insecureJay Satiro
Because disabling the peer verification (--insecure) must not disable the public key pinning check (--pinnedpubkey).
2016-01-16CURLINFO_RESPONSE_CODE.3: add exampleDaniel Schauenberg
2016-01-15ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULLKamil Dudka
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2016-01-14RELEASE-NOTES: synced with 35083ca60ed035aDaniel Stenberg
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2016-01-13CURLOPT_RESOLVE.3: minor language polishDaniel Stenberg
2016-01-12configure: assume IPv6 works when cross-compiledDaniel Stenberg
The configure test uses AC_TRY_RUN to figure out if an ipv6 socket works, and testing like that doesn't work for cross-compiles. These days IPv6 support is widespread so a blind guess is probably more likely to be 'yes' than 'no' now. Further: anyone who cross-compiles can use configure's --disable-ipv6 to explicitly disable IPv6 and that also works for cross-compiles. Made happen after discussions in issue #594
2016-01-12TODO: "Try to URL encode given URL"Daniel Stenberg
Closes #514
2016-01-11ConnectionExists: only do pipelining/multiplexing when askedDaniel Stenberg
When an HTTP/2 upgrade request fails (no protocol switch), it would previously detect that as still possible to pipeline on (which is acorrect) and do that when PIPEWAIT was enabled even if pipelining was not explictily enabled. It should only pipelined if explicitly asked to. Closes #584
2016-01-11lib: Prefix URLs with lower-case protocol names/schemesMohammad AlSaleh
Before this patch, if a URL does not start with the protocol name/scheme, effective URLs would be prefixed with upper-case protocol names/schemes. This behavior might not be expected by library users or end users. For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the URL is "hostname/path". The effective URL would be "HTTPS://hostname/path" instead of "https://hostname/path". After this patch, effective URLs would be prefixed with a lower-case protocol name/scheme. Closes #597 Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
2016-01-11scripts: don't generate and install zsh completion when cross-compilingAlessandro Ghedini
2016-01-11scripts: fix zsh completion generationAlessandro Ghedini
The script should use the just-built curl, not the system one. This fixes zsh completion generation when no system curl is installed.
2016-01-11zsh.pl: fail if no curl is foundAlessandro Ghedini
Instead of generation a broken completion file.
2016-01-11IDN host names: Remove the port number before converting to ACEMichael Kaufmann
Closes #596
2016-01-10runtests: Add mbedTLS to the SSL backendsJay Satiro
.. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
2016-01-10mbedtls: implement CURLOPT_PINNEDPUBLICKEYThomas Glanzmann
2016-01-09url: Fix compile error with --enable-werrorTatsuhiro Tsujikawa
2016-01-08http2: Ensure that http2_handle_stream_close is calledTatsuhiro Tsujikawa
Previously, when HTTP/2 is enabled and used, and stream has content length known, Curl_read was not called when there was no bytes left to read. Because of this, we could not make sure that http2_handle_stream_close was called for every stream. Since we use http2_handle_stream_close to emit trailer fields, they were effectively ignored. This commit changes the code so that Curl_read is called even if no bytes left to read, to ensure that http2_handle_stream_close is called for every stream. Discussed in https://github.com/bagder/curl/pull/564
2016-01-08http2: handle the received SETTINGS frameDaniel Stenberg
This regression landed in 5778e6f5 and made libcurl not act on received settings and instead stayed with its internal defaults. Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html Reported-by: Bankde
2016-01-08Revert "multiplex: allow only once HTTP/2 is actually used"Daniel Stenberg
This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36. Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
2016-01-08http2: Fix PUSH_PROMISE headers being treated as trailersTatsuhiro Tsujikawa
Discussed in https://github.com/bagder/curl/pull/564
2016-01-08connection reuse: IDN host names fixedMichael Kaufmann
Use the ACE form of IDN hostnames as key in the connection cache. Add new tests. Closes #592
2016-01-07tests: mark IPv6 FTP and FTPS tests with the FTP keywordDaniel Stenberg
2016-01-07mbedtls: Fix ALPN supportJay Satiro
- Fix ALPN reply detection. - Wrap nghttp2 code in ifdef USE_NGHTTP2. Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2016-01-06http2: Fix client write for trailers on stream closeJay Satiro
Check that the trailer buffer exists before attempting a client write for trailers on stream close. Refer to comments in https://github.com/bagder/curl/pull/564
2016-01-07COPYING: update general copyright year rangeDaniel Stenberg
2016-01-06ConnectionExists: add missing newline in infof() callDaniel Stenberg
Mistake from commit a464f33843ee1
2016-01-06multiplex: allow only once HTTP/2 is actually usedDaniel Stenberg
To make sure curl doesn't allow multiplexing before a connection is upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the connection uses HTTP/2 as well and not only check what's wanted. Closes #584 Patch-by: c0ff
2016-01-04curl_global_init.3: Add Windows-specific info for init via DLLJay Satiro
- Add to both curl_global_init.3 and libcurl.3 the caveat for Windows that initializing libcurl via a DLL's DllMain or static initializer could cause a deadlock. Bug: https://github.com/bagder/curl/issues/586 Reported-by: marc-groundctl@users.noreply.github.com
2016-01-04FAQ: clarify who to mail about ECCN clarificationsDaniel Stenberg
2016-01-04progressfunc.c: spellfix descriptionDaniel Stenberg
2016-01-04docs/examples/multi-app.c: fix bad desc formattingDaniel Stenberg
2016-01-04examples: added descriptionsDaniel Stenberg
2016-01-04example/simple.c: add descriptionDaniel Stenberg
2016-01-04getredirect.c: a new exampleDaniel Stenberg
2015-12-27RELEASE-NOTES: add 5e0e81a9c4e35f04caMarc Hoersken
2015-12-26RELEASE-NOTES: synced with 2aec4359db1088b10dDaniel Stenberg
2015-12-26test 1515: add data checkMarc Hoersken
2015-12-26test 1515: add MSYS support by passing a relative pathMarc Hoersken
MSYS would otherwise turn a /-style path into a C:\-style path.
2015-12-26test 539: use datacheck mode text for ASCII-mode LISTingsMarc Hoersken
While still using datacheck mode binary for the inline reply data.
2015-12-26runtests.pl: check up to 5 data parts with different text modesMarc Hoersken
Move the text-mode conversion for reply/replycheck from the verify section into the load section and add support for 4 more check parts.
2015-12-24CURLOPT_RANGE: for HTTP servers, range support is optionalDaniel Stenberg
2015-12-24tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTingsMarc Hoersken
2015-12-24tests 706 and 707: use datacheck mode text for ASCII-mode LISTingsMarc Hoersken
2015-12-24tests 400,403,406: use datacheck mode text for ASCII-mode LISTingsMarc Hoersken
2015-12-23sockfilt.c: fix calculation of sleep timeout on WindowsMarc Hoersken
Not converting to double caused small timeouts to be skipped.
2015-12-23tests first.c: fix calculation of sleep timeout on WindowsMarc Hoersken
Not converting to double caused small timeouts to be skipped.
2015-12-23test 573: add more debug outputMarc Hoersken