Age | Commit message (Collapse) | Author |
|
Users using the Secure Transport (darwinssl) back-end can now use a
certificate and private key to authenticate with a site using TLS. Because
Apple's security system is based around the keychain and does not have any
non-public function to create a SecIdentityRef data structure from data
loaded outside of the Keychain, the certificate and private key have to be
loaded into the Keychain first (using the certtool command line tool or
the Security framework's C API) before we can find it and use it.
|
|
Since we're adding new stuff, the next release will bump the minor
version and we're looking forward to 7.31.0
|
|
|
|
... in order to prevent an artificial timeout event based on stale
speed-check data from a previous network transfer. This commit fixes
a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e.
Bug: https://bugzilla.redhat.com/906031
|
|
|
|
|
|
|
|
|
|
|
|
Most notable the security advisory:
http://curl.haxx.se/docs/adv_20130412.html
|
|
added "tcpkeepalive on Mac OS X"
|
|
I noticed that aria2's SecureTransport code disables insecure ciphers such
as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later.
That's a good idea, and now we do the same thing in order to prevent curl
from accessing a "secure" site that only negotiates insecure ciphersuites.
|
|
|
|
|
|
|
|
3 more bug fixes, 6 more contributors
|
|
|
|
|
|
|
|
More changes, bugfixes and contributors!
|
|
I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are
turned off until the next point release of OS X.
|
|
The flag can be used in pycurl-based applications where using the multi
interface would not be acceptable because of the performance lost caused
by implementing the select() loop in python.
Bug: http://curl.haxx.se/bug/view.cgi?id=1168
Downstream Bug: https://bugzilla.redhat.com/919127
|
|
|
|
8 more bugfixes, one change and a bunch of contributors
|
|
|
|
|
|
With all the recent imap changes it wasn't clear what new features and
fixes should be included in the release notes.
|
|
|
|
The option needs to be set on the SSL socket. Setting it on the model
takes no effect. Note that the non-blocking mode is still not enabled
for the handshake because the code is not yet ready for that.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 more bug fixes mentioned
|
|
Added recent additions and fixes following the changes to imap, pop3
and smtp. Additionally added another contributor that helped to test
the imap sasl changes.
|
|
Even though he's a fine dude, once is enough for this time!
|
|
|
|
Added missing imap fix as per commit 709b3506cd9b.
|
|
|
|
Do not use the error messages from NSS for errors not occurring in NSS.
|
|
This commit fixes a regression introduced in 052a08ff.
NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback
and if we connect second time to the same server, the cached cert/key
pair is used. If we use multiple client certificates for different
paths on the same server, we need to clear the session cache to force
NSS to call the hook again. The commit 052a08ff prevented the session
cache from being cleared if a client certificate from file was used.
The condition is now fixed to cover both cases: consssl->client_nickname
is not NULL if a client certificate from the NSS database is used and
connssl->obj_clicert is not NULL if a client certificate from file is
used.
Review by: Kai Engert
|
|
|
|
Although it is not explicitly stated in the documentation, NSS uses
*pRetCert and *pRetKey even if the client authentication hook returns
a failure. Namely, if we destroy *pRetCert without clearing *pRetCert
afterwards, NSS destroys the certificate once again, which causes a
double free.
Reported by: Bob Relyea
|
|
|
|
|
|
|
|
Bug: http://curl.haxx.se/mail/lib-2012-11/0095.html
|
|
4 more bug fixes and 4 more contributors
|