aboutsummaryrefslogtreecommitdiff
path: root/lib/polarssl.c
AgeCommit message (Collapse)Author
2012-11-08SSL: Several SSL-backend related fixesOscar Koeroo
axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
2012-06-14Fix bad failf() and info() usageYang Tse
Calls to failf() are not supposed to provide trailing newline. Calls to infof() must provide trailing newline. Fixed 30 or so strings.
2012-04-06PolarSSL: correct return code for CRL matchesDaniel Stenberg
When a server certificate matches one in the given CRL file, the code now returns CURLE_SSL_CACERT as test case 313 expects and verifies.
2012-04-06PolarSSL: include version number in version stringDaniel Stenberg
Previously it would say PolarSSL only, now it says PolarSSL/1.1.0 in the same style other libs and components do.
2012-04-05PolarSSL: add support for asynchronous connectDag Ekengren
2012-01-18polarssl: show cipher suite name correctly with 1.1.0Daniel Stenberg
Apparently ssl_get_ciphersuite() is needed to get the name of the used cipher suite.
2012-01-18polarssl: show error code correctlyDaniel Stenberg
The value was turned negative when it shouldn't have been
2012-01-18polarssl: havege_rand is not present in version 1.1.0Daniel Stenberg
... it is now named havege_random! Reported by: Robert Schumann Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2011-09-13codestyle: minor whitespace fixDaniel Stenberg
2011-09-13polarssl: build with PolarSSL-1.0.0Jeff Pohlmeyer
With this fix, it should work for PolarSSL-1.0.0 (and SVN-1091 trunk) and retain compatibility with earlier versions. (Tested with 0.14.1) PolarSSL still doesn't play nicely with curl's CA bundle (we discussed this before) but I was at least able to retrieve the https://www.gmail.com/ login page using a modified ca-certificates.crt file with all 3 versions of PolarSSL.
2011-07-26stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse
2011-06-04Curl_socket_ready: make timeout a 'long'Daniel Stenberg
It was mostly typecasted to int all over the code so switching to long instead all over should be a net gain.
2011-04-27source cleanup: unify look, style and indent levelsDaniel Stenberg
By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-02-18PolarSSL: Return 0 on receiving TLS CLOSE_NOTIFY alertHoi-Ho Chan
Signed-off-by: Hoi-Ho Chan <hoiho.chan@gmail.com>
2011-01-04Curl_timeleft: s/conn/data in first argumentDaniel Stenberg
As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
2010-11-08fix compiler warningYang Tse
2010-05-13Remove support for BSD version of PolarSSLHoi-Ho Chan
"The BSD version of PolarSSL was made for migratory purposes only and is not maintained. The GPL version of PolarSSL is actually the only actively developed version, so I would be very reluctant to use the BSD version." / Paul Bakker, PolarSSL hacker. Signed-off-by: Hoi-Ho Chan <hoiho.chan@gmail.com>
2010-05-11sendrecv: make them two pairs of send/recv to properly deal with FTPSHoward Chu
FTP(S) use two connections that can be set to different recv and send functions independently, so by introducing recv+send pairs in the same manner we already have sockets/connections we can work with FTPS fine. This commit fixes the FTPS regression introduced in change d64bd82.
2010-05-07sendrecv: split the I/O handling into private handlerHoward Chu
Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
2010-05-05PolarSSL: initial support addedHoi-Ho Chan
This is Hoi-Ho Chan's patch with some minor fixes by me. There are some potential issues in this, but none worse than we can sort out on the list and over time.