aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-02-09nss: add support for the CURLSSLOPT_ALLOW_BEAST optionKamil Dudka
... and fix some typos from the 62d15f1 commit.
2012-02-09configure: don't modify LD_LIBRARY_PATH for cross compilesRob Ward
2012-02-09--ssl-allow-beast addedDaniel Stenberg
This new option tells curl to not work around a security flaw in the SSL3 and TLS1.0 protocols. It uses the new libcurl option CURLOPT_SSL_OPTIONS with the CURLSSLOPT_ALLOW_BEAST bit set.
2012-02-09CURLOPT_SSL_OPTIONS: addedDaniel Stenberg
Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
2012-02-09curl: use new library-side TCP_KEEPALIVE optionsDave Reisner
Use the new library CURLOPT_TCP_KEEPALIVE rather than disabling this via the sockopt callback. If --keepalive-time is used, apply the value to CURLOPT_TCP_KEEPIDLE and CURLOPT_TCP_KEEPINTVL.
2012-02-09add library support for tuning TCP_KEEPALIVEDave Reisner
This adds three new options to control the behavior of TCP keepalives: - CURLOPT_TCP_KEEPALIVE: enable/disable probes - CURLOPT_TCP_KEEPIDLE: idle time before sending first probe - CURLOPT_TCP_KEEPINTVL: delay between successive probes While not all operating systems support the TCP_KEEPIDLE and TCP_KEEPINTVL knobs, the library will still allow these options to be set by clients, silently ignoring the values.
2012-02-07curl_easy_reset: reset the referer stringDaniel Stenberg
When CURLOPT_REFERER has been used, curl_easy_reset() did not properly clear it. Verified with the new test 598 Bug: http://curl.haxx.se/bug/view.cgi?id=3481551 Reported by: Michael Day
2012-02-07curl tool: allow glob-loops to abort again upon critical errorsYang Tse
This prevents clobbering of non recoverable error return codes while retaining intended functionality of commit 65103efe
2012-02-06curl tool: don't abort glob-loop due to failuresDaniel Stenberg
We want to continue to the next URL to try even on failures returned from libcurl. This makes -f with ranges still get subsequent URLs even if occasional ones return error. This was a regression as it used to work and broke in the 7.23.0 release. Added test case 1328 to verify the fix. Bug: http://curl.haxx.se/bug/view.cgi?id=3481223 Reported by: Juan Barreto
2012-01-31CONNECT: send correct Host: with IPv6 numerical addressDaniel Stenberg
When the target host was given as a IPv6 numerical address, it was not properly put within square brackets for the Host: header in the CONNECT request. The "normal" request did fine. Reported by: "zooloo" Bug: http://curl.haxx.se/bug/view.cgi?id=3482093
2012-01-28Explicitly link to the nettle/gcrypt librariesMartin Storsjo
When support for nettle was added in 64f328c787ab, I overlooked the fact that AC_CHECK_LIB doesn't add the tested lib to LIBS if the check succeeded, if a custom success code block was present. (The previous version of the check had an empty block for successful checks, adding the lib to LIBS implicitly.) Therefore, explicitly add either nettle or gcrypt to LIBS, after deciding which one to use. Even if they can be linked in transitively, it is safer to actually link explicitly to them. This fixes building with gnutls with linkers that don't allow linking transitively, such as for windows.
2012-01-28more resilient connection times among IP addressesPierre Ynard
When connecting to a domain with multiple IP addresses, allow different, decreasing connection timeout values. This should guarantee some connections attempts with sufficiently long timeouts, while still providing fallback.
2012-01-28remove write-only variablePierre Ynard
2012-01-26Merge branch 'master' of github.com:bagder/curlPierre Joye
2012-01-26- fix IPV6 and IDN optionsPierre Joye
2012-01-25TODO-RELEASE: added item #308Yang Tse
2012-01-25THANKS: imported contributors from 7.24.0 RELEASE-NOTESDaniel Stenberg
2012-01-25test harness: update stunnel.pem Diffie-Hellman parameters from 512 to 1024 bitYang Tse
2012-01-25version: start working on 7.24.1-DEVYang Tse
2012-01-24curl_easy_setopt.3: Fixed SEEKDATA & CLOSESOCKETDATA descriptionsDan Fandrich
2012-01-24RELEASE-NOTES: synced with 70f71bb99f7ed9Daniel Stenberg
Synced and prepared for 7.24.0 release. Two security problems, one bug fix, two more contributors.
2012-01-24gnutls: enforced use of SSLv3Daniel Stenberg
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-24tests: test CRLF in URLsDaniel Stenberg
Related to the security vulnerability: CVE-2012-0036 Bug: http://curl.haxx.se/docs/adv_20120124.html
2012-01-24URL sanitize: reject URLs containing bad dataDaniel Stenberg
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
2012-01-24OpenSSL: don't disable security work-aroundDaniel Stenberg
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
2012-01-22RELEASE-NOTES: synced with 6e2fd2c9eaDaniel Stenberg
3 more bugfixes, 3 more contributors
2012-01-22CURLOPT_ACCEPTTIMEOUT_MS: spellfixDaniel Stenberg
2012-01-20examples: updated README with two new example programsDan Fandrich
2012-01-20URL parse: user name with ipv6 numerical addressDaniel Stenberg
Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20telnet.c: fix OOM triggered segfaultYang Tse
2012-01-19testtrace.c: fix compiler warningYang Tse
2012-01-19OpenSSL: follow-up for commit a20daf90e3Yang Tse
avoid checking preprocessor definition official value
2012-01-19- s, use, enable, for options name, avoiding conflicts with the names used ↵Pierre Joye
in the makefile
2012-01-19curl.1: improve --stderr wordingDaniel Stenberg
As is pointed out in this bug report, there can indeed be situation where --stderr has a point even when the "real" stderr can be redirected. Remove the superfluous and wrong comment. bug: http://curl.haxx.se/bug/view.cgi?id=3476020
2012-01-18KNOWN_BUGS: can't receive zero bytes file properlyDaniel Stenberg
http://curl.haxx.se/bug/view.cgi?id=3438362
2012-01-18ssl session caching: fix compiler warningsYang Tse
2012-01-18polarssl: show cipher suite name correctly with 1.1.0Daniel Stenberg
Apparently ssl_get_ciphersuite() is needed to get the name of the used cipher suite.
2012-01-18polarssl: show error code correctlyDaniel Stenberg
The value was turned negative when it shouldn't have been
2012-01-18polarssl: havege_rand is not present in version 1.1.0Daniel Stenberg
... it is now named havege_random! Reported by: Robert Schumann Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18RELEASE-NOTES: synced with 5d70a61b94604Daniel Stenberg
5 more bug fixes, 1 more contributor
2012-01-18Add two tests for telnet: URLsColin Hogben
Add simple telnet tests which (ab)use the http server. The second test checks for an input file handling bug.
2012-01-18Remove bogus optimisation of telnet upload.Colin Hogben
Remove wrongly implemented optimisation of telnet upload, apparently intended to allow the library to avoid manually polling for input.
2012-01-18Use correct file descriptor for telnet upload.Colin Hogben
Fix a bug where input was read from stdin even when a different FILE * had been configured via CURLOPT_READDATA
2012-01-18OpenLDAP: fix LDAP connection phase memory leakYang Tse
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18OpenSSL: fix PKCS#12 certificate parsing related memory leakJohannes Bauer
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabledYang Tse
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-17tests: enable time tracing on tests 500, 573 and 585Yang Tse
2012-01-17tests: testtrace.[ch] provides debug callback for libtest usageYang Tse
Allows tests from the libtest subdir to generate log traces similar to those of curl with --tracetime and --trace-ascii options but with output going to stderr.
2012-01-17sws.c: fix proxy mode secondary connection monitoring conditionYang Tse
2012-01-16add LF termination to infof() trace stringYang Tse