Age | Commit message (Collapse) | Author |
|
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
--ssl-revoke-best-effort to allow a "best effort" revocation check.
A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.
---
When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:
Unknown error (0x80092012) - The revocation function was unable
to check revocation for the certificate.
Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.
This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.
In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.
Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).
To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.
Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.
The test 2070 was added to verify this behavior, adapted from 310.
Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes https://github.com/curl/curl/pull/4981
|
|
This commit adds support to generate JSON via the writeout feature:
-w "%{json}"
It leverages the existing infrastructure as much as possible. Thus,
generating the JSON on STDERR is possible by:
-w "%{stderr}%{json}"
This implements a variant of
https://github.com/curl/curl/wiki/JSON#--write-out-json.
Closes #4870
|
|
- --url man page section
- libcurl-security.3 gets the full text
- CURLOPT_URL.3
Reported-by: Tim Sedlmeyer
|
|
Reported-by: Dan Jacobson
Fixes #4766
Closes #4916
|
|
Closes #4869
Reviewed-by: Emil Engler and Daniel Gustafsson
|
|
Reported-by: Mischa Salle
Bug: https://curl.haxx.se/mail/lib-2020-01/0070.html
Closes #4862
|
|
Not from generic non-GET to GET.
Reported-by: Andrius Merkys
Ref: #4859
Closes #4861
|
|
Closes #4843
|
|
Introduces CURLOPT_MAIL_RCPT_ALLLOWFAILS.
Verified with the new tests 3002-3007
Closes #4816
|
|
It is superfluous and could even be misleading.
Bug: https://curl.haxx.se/mail/archive-2020-01/0016.html
Reported-by: Mike Norton
Closes #4832
|
|
Reported-by: sayrer on github
Closes #4262
[skip ci]
|
|
|
|
--etag-compare and --etag-save
Suggested-by: Paul Hoffman
Fixes #4277
Closes #4543
|
|
Starting with this change when doing parallel transfers, without this
option set, curl will prefer to create new transfers multiplexed on an
existing connection rather than creating a brand new one.
--parallel-immediate can be set to tell curl to prefer to use new
connections rather than to wait and try to multiplex.
libcurl-wise, this means that curl will set CURLOPT_PIPEWAIT by default
on parallel transfers.
Suggested-by: Tom van der Woerdt
Closes #4500
|
|
Change 'experiemental' to 'experimental'.
Closes #4618
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
|
|
|
|
Follow-up to 93373a960c3bb4
Reported-by: infinnovation-dev on github
Fixes #4474
Closes #4475
|
|
New option that allows a user to ONLY switch off curl's progress meter
and leave everything else in "talkative" mode.
Reported-by: Piotr Komborski
Fixes #4422
Closes #4470
|
|
Fall-back to _curlrc if the dot-version is missing.
Co-Authored-By: Steve Holme
Closes #4230
|
|
Even though it cannot fall-back to a lower HTTP version automatically. The
safer way to upgrade remains via CURLOPT_ALTSVC.
CURLOPT_H3 no longer has any bits that do anything and might be removed
before we remove the experimental label.
Updated the curl tool accordingly to use "--http3".
Closes #4197
|
|
If a Retry-After: header was used in the response, that value overrides
other retry timing options.
Fixes #3794
Closes #4195
|
|
Ref: https://github.com/curl/curl/issues/3653
Ref: https://github.com/curl/curl/pull/3790
NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.
Closes https://github.com/curl/curl/pull/4186
|
|
As the plan has been laid out in DEPRECATED. Update docs accordingly and
verify in test 1174. Now requires the option to be set to allow HTTP/0.9
responses.
Closes #4191
|
|
USe configure --with-ngtcp2 or --with-quiche
Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>
Closes #3500
|
|
This is done by making sure each individual transfer is first added to a
linked list as then they can be performed serially, or at will, in
parallel.
Closes #3804
|
|
Since 7.54 --tlsv1. options use the specified version or later, however
older versions of curl documented it as using just the specified version
which may or may not have happened depending on the TLS library.
Document this discrepancy to allay confusion for users familiar with the
old documentation that expect just the specified version.
Fixes https://github.com/curl/curl/issues/4097
Closes https://github.com/curl/curl/pull/4119
|
|
- Allow FTPS on redirect.
- Update default allowed redirect protocols in documentation.
Follow-up to 6080ea0.
Ref: https://github.com/curl/curl/pull/4094
Closes https://github.com/curl/curl/pull/4115
|
|
- Escape apostrophes at line start.
Some lines begin with a "'" (apostrophe, single quote), which is then
interpreted as a control character in *roff.
Such lines are interpreted as being a call to a macro, and if
undefined, the lines are removed from the output.
Bug: https://bugs.debian.org/926352
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
Submitted-by: Alessandro Ghedini
Closes https://github.com/curl/curl/pull/4111
|
|
|
|
Reported-by: Ben Voris
Fixes #4017
Closes #4019
|
|
Remove support for, references to and use of "cyaSSL" from the source
and docs. wolfSSL is the current name and there's no point in keeping
references to ancient history.
Assisted-by: Daniel Gustafsson
Closes #3903
|
|
Reported-by: Jay Satiro
Co-authored-by: Jay Satiro
Fixes #3938
Closes #3946
|
|
Reported-by: wesinator at github
Fixes #3964
Closes #3974
|
|
- Revert all commits related to the SASL authzid feature since the next
release will be a patch release, 7.65.1.
Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined
for the next release, assuming it would be a feature release 7.66.0.
However instead the next release will be a patch release, 7.65.1 and
will not contain any new features.
After the patch release after the reverted commits can be restored by
using cherry-pick:
git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690
Details for all reverted commits:
Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."
This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a.
Revert "tests: Fix the line endings for the SASL alt-auth tests"
This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221.
Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"
This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75.
Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"
This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817.
Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"
This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177.
|
|
|
|
Also removed mentions from most docs.
Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html
Closes #3888
|
|
Fixes #3738
Closes #3749
|
|
Closes #3724
Reviewed-by: Jakub Zakrzewski
Reviewed-by: Daniel Gustafsson
|
|
Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680
Closes #3683
|
|
From a discussion in #3676
Suggested-by: Tim Rühsen
Closes #3682
|
|
Clarify the language and simplify.
Reported-by: Daniel Lublin
Closes #3658
|
|
|
|
clarify redir - "in absurdum" doesn't seem to make sense in this context
Closes #3631
|
|
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.
Closes #3504
|
|
Reviewed-by: Daniel Gustafsson
Closes #3432
|
|
This adds support for wildcard hosts in CURLOPT_RESOLVE. These are
try-last so any non-wildcard entry is resolved first. If specified,
any host not matched by another CURLOPT_RESOLVE config will use this
as fallback.
Example send a.com to 10.0.0.1 and everything else to 10.0.0.2:
curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \
https://a.com https://b.com
This is probably quite similar to using:
--connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443
Closes #3406
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose.
For now, both the tool and library allow HTTP/0.9 by default.
docs/DEPRECATE.md lays out the plan for when to reverse that default: 6
months after the 7.64.0 release. The options are added already now so
that applications/scripts can start using them already now.
Fixes #2873
Closes #3383
|
|
Reported-by: Tobias Lindgren
Pointed out in #3367
Closes #3368
|
|
The variable definition had a small typo making it declare another
variable then the intended.
Closes #3304
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Closes #3115
|