| Age | Commit message (Collapse) | Author |
|---|
|
Inclusion of top two most included header files now done in setup_once.h
|
|
Although it is not explicitly stated in the documentation, NSS uses
*pRetCert and *pRetKey even if the client authentication hook returns
a failure. Namely, if we destroy *pRetCert without clearing *pRetCert
afterwards, NSS destroys the certificate once again, which causes a
double free.
Reported by: Bob Relyea
|
|
After a research team wrote a document[1] that found several live source
codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST
option thinking it was a boolean, this change now bans 1 as a value and
will make libcurl return error for it.
1 was never a sensible value to use in production but was introduced
back in the days to help debugging. It was always documented clearly
this way.
1 was never supported by all SSL backends in libcurl, so this cleanup
makes the treatment of it unified.
The report's list of mistakes for this option were all PHP code and
while there's a binding layer between libcurl and PHP, the PHP team has
decided that they have an as thin layer as possible on top of libcurl so
they will not alter or specifically filter a 'TRUE' value for this
particular option. I sympathize with that position.
[1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
|
|
|
|
... to please checksrc.pl
|
|
... and make the list of cipher-suites in nss.c readable by humans.
Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html
|
|
|
|
|
|
|
|
curl_ntlm_msgs.c would previously use an #ifdef maze and direct
SSL-library calls instead of using the SSL layer we have for this
purpose.
|
|
Bug: http://lists.baseurl.org/pipermail/yum-devel/2012-January/009002.html
|
|
|
|
|
|
|
|
|
|
NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent
collisions on NSS initialization/shutdown with other libraries.
Bug: https://bugzilla.redhat.com/738456
|
|
This bumps the minimal supported version of NSS to 3.12.x.
|
|
... and fix some typos from the 62d15f1 commit.
|
|
Bug: https://bugzilla.redhat.com/733685
|
|
|
|
Do not use artificial nicknames for certificates from files.
|
|
... instead of nicknames, which are not unique.
|
|
|
|
Bug: https://bugzilla.redhat.com/728562
|
|
|
|
By the use of a the new lib/checksrc.pl script that checks that our
basic source style rules are followed.
|
|
Massively reduce #ifdefs all over (23 #ifdef lines less so far)
Moved conversion-specific code to non-ascii.c
|
|
In case a client certificate is used, invalidate SSL session cache
at the end of a session. This forces NSS to ask for a new client
certificate when connecting second time to the same host.
Bug: https://bugzilla.redhat.com/689031
|
|
The bug was introduced in 806dbb0 (a wrong value was passed in as the
first argument to the default callback in our wrapper).
|
|
When NSS-powered libcurl connected to a SSL server with
CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer
certificate was accepted by libcurl and did not ask the second time when
connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one.
This patch turns off the SSL session cache for the particular SSL socket
if peer verification is disabled. In order to avoid any performance
impact, the peer verification is completely skipped in that case, which
makes it even faster than before.
Bug: https://bugzilla.redhat.com/678580
|
|
Flaw introduced in fc77790 and present in curl-7.21.4.
Bug: https://bugzilla.redhat.com/669702#c16
|
|
|
|
|
|
... in case more than one CA is loaded.
Bug: https://bugzilla.redhat.com/670802
|
|
... and update the curl.1 and curl_easy_setopt.3 man pages such that
they do not suggest to use an OpenSSL utility if curl is not built
against OpenSSL.
Bug: https://bugzilla.redhat.com/669702
|
|
As the function doesn't really use the connectdata struct but only the
SessionHanadle struct I modified what argument it wants.
|
|
Bug: https://bugzilla.redhat.com/623663
|
|
Since some systems don't have PATH_MAX and it isn't that clever to
assume a fixed maximum path length, the code now allocates buffer space
instead of using stack.
Reported by: Samuel Thibault
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608521
|
|
When configured with '--without-ssl --with-nss', NTLM authentication
now uses NSS crypto library for MD5 and DES. For MD4 we have a local
implementation in that case. More details are available at
https://bugzilla.redhat.com/603783
In order to get it working, curl_global_init() must be called with
CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs
to be initialized globally and we do so only when the NSS library is
actually required by protocol. The mentioned call of curl_global_init()
is responsible for creating of the initialization mutex.
There was also slightly changed the NSS initialization scenario, in
particular, loading of the NSS PEM module. It used to be loaded always
right after the NSS library was initialized. Now the library is
initialized as soon as any SSL or NTLM is required, while the PEM module
is prevented from being loaded until the SSL is actually required.
|
|
FTP(S) use two connections that can be set to different recv and
send functions independently, so by introducing recv+send pairs
in the same manner we already have sockets/connections we can
work with FTPS fine.
This commit fixes the FTPS regression introduced in change d64bd82.
|
|
|
|
|
|
Howard Chu brought the bulk work of this patch that properly
moves out the sending and recving of data to the parts of the
code that are properly responsible for the various ways of doing
so.
Daniel Stenberg assisted with polishing a few bits and fixed some
minor flaws in the original patch.
Another upside of this patch is that we now abuse CURLcodes less
with the "magic" -1 return codes and instead use CURLE_AGAIN more
consistently.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
