aboutsummaryrefslogtreecommitdiff
path: root/lib/ssluse.c
AgeCommit message (Collapse)Author
2009-09-16- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-Daniel Stenberg
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name field in the certficate it had to match and so even if non-DNS and non-IP entry was present it caused the verification to fail.
2009-08-29add cast to silent compiler warning with 64bit systems.Gunter Knauf
2009-08-29fix shadow definition of outp.Gunter Knauf
2009-08-11- Peter Sylvester made the HTTPS test server use specific certificates forDaniel Stenberg
each test, so that the test suite can now be used to actually test the verification of cert names etc. This made an error show up in the OpenSSL- specific code where it would attempt to match the CN field even if a subjectAltName exists that doesn't match. This is now fixed and verified in test 311.
2009-08-03avoid possible NULL dereference caused by my previous fixDaniel Stenberg
2009-08-03Reverted the zero-byte-in-name check to instead rely on the fact that strlenDaniel Stenberg
and the name length differ in those cases and thus leave the matching function unmodified from before, as the matching functions never have to bother with the zero bytes in legitimate cases. Peter Sylvester helped me realize that this fix is slightly better as it leaves more code unmodified and makes the detection a bit more obvious in the code.
2009-08-02Extended my embedded-zero-in-cert-name fix based on a comment from ScottDaniel Stenberg
Cantor. My previous attempt was half-baked and didn't cover the normal CN case.
2009-08-01- Curt Bogmine reported a problem with SNI enabled on a particular server. WeDaniel Stenberg
should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
2009-08-01- Scott Cantor posted the bug report #2829955Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert verification flaw found and exploited by Moxie Marlinspike. The presentation he did at Black Hat is available here: https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike Apparently at least one CA allowed a subjectAltName or CN that contain a zero byte, and thus clients that assumed they would never have zero bytes were exploited to OK a certificate that didn't actually match the site. Like if the name in the cert was "example.com\0theatualsite.com", libcurl would happily verify that cert for example.com. libcurl now better use the length of the extracted name, not assuming it is zero terminated.
2009-08-01- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (presentDaniel Stenberg
only in some OpenSSL installs - like on Windows) isn't thread-safe and we agreed that moving it to the global_init() function is a decent way to deal with this situation.
2009-07-27From: Johan van SelstDaniel Stenberg
"you replaced the old SSLeay_add_ssl_algorithms() call with OpenSSL_add_all_algorithms(), however unlike the name suggests, the second function is not a superset of the first. When using SSL both these functions will need to be called in order to offer complete functionality"
2009-07-26- Bug report #2825989 (http://curl.haxx.se/bug/view.cgi?id=2825989) pointedDaniel Stenberg
out that OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and provided the solution too: to use OpenSSL_add_all_algorithms() instead of the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in OpenSSL 0.9.5
2009-06-29- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. IDaniel Stenberg
don't know how they got wrong in the first place, but using this output format makes it possible to quite easily separate the string into an array of multiple items.
2009-06-10- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings andDaniel Stenberg
contributed a range of patches to fix them.
2009-05-27- Andre Guibert de Bruet found a call to a OpenSSL function that didn't checkDaniel Stenberg
for a failure properly.
2009-05-27- Frank McGeough provided a small OpenSSL #include fix to make libcurl compileDaniel Stenberg
fine with Nokia 5th edition 1.0 SDK for Symbian.
2009-05-04- Michael Smith posted bug report #2786255Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how libcurl did not deal with SSL session ids properly if the server rejected a re-use of one. Starting now, it will forget the rejected one and remember the new. This change was for OpenSSL only, it is likely that other SSL lib code needs similar fixes.
2009-04-21libcurl's memory.h renamed to curl_memory.hYang Tse
2009-04-14use HAVE_LIMITS_H symbol to protect limits.h inclusionYang Tse
2009-04-14include <limits.h> for INT_MAX definitionYang Tse
2009-04-14fix compiler warning: implicit conversion shortens 64-bit value into a ↵Yang Tse
32-bit value
2009-04-13fix compiler warning: implicit conversion shortens 64-bit value into a ↵Yang Tse
32-bit value
2009-04-03fix compiler warning: passing arg 1 of `sk_num' from incompatible pointer typeYang Tse
2009-03-08- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where theDaniel Stenberg
allocation of the memory BIO was not being properly checked.
2009-01-26- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag toDaniel Stenberg
disable "rfc4507bis session ticket support". rfc4507bis was later turned into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 The enabled extension concerns the session management. I wonder how often libcurl stops a connection and then resumes a TLS session. also, sending the session data is some overhead. .I suggest that you just use your proposed patch (which explicitly disables TICKET). If someone writes an application with libcurl and openssl who wants to enable the feature, one can do this in the SSL callback. Sharad Gupta brought this to my attention. Peter Sylvester helped me decide on the proper action.
2009-01-21Fixed a couple more locale-dependent toupper conversions, mainly forDan Fandrich
clarity. This does fix one problem that causes ;type=i FTP URLs to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is used (test case 561) Added tests 561 and 1092 through 1094 to test various combinations of ;type= and ;mode= URLs that could potentially fail in the Turkish locale.
2008-12-28- Peter Korsgaard fixed building libcurl with "configure --with-sslDaniel Stenberg
--disable-verbose".
2008-10-23moved the Curl_raw_ functions into the new lib/rawstr.c file for easier curlx_Daniel Stenberg
inclusion by the curl tool without colliding with the curl_strequal functions.
2008-10-16Renamed Curl_ascii_equal to Curl_raw_equal and bugfixed the my_toupper functionDaniel Stenberg
used in strequal.c so now all test cases run fine for me again.
2008-10-15- Pascal Terjan filed bug #2154627Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2154627) which pointed out that libcurl uses strcasecmp() in multiple places where it causes failures when the Turkish locale is used. This is because 'i' and 'I' isn't the same letter so strcasecmp() on those letters are different in Turkish than in English (or just about all other languages). I thus introduced a totally new internal function in libcurl (called Curl_ascii_equal) for doing case insentive comparisons for english-(ascii?) style strings that thus will make "file" and "FILE" match even if the Turkish locale is selected.
2008-10-14fix compiler warningYang Tse
2008-09-24Official OpenSSL released versions up to and including 0.9.8i as well asYang Tse
2008-09-24 stable snapshot have a buf_mem_st.length structure member with 'int' data type. OpenSSL un-released 0.9.9 CVS version has a buf_mem_st.length structure member with 'size_t' data type since 2007-Oct-09. These 4 typecasts should silence compiler warnings in all cases.
2008-09-23Avoid 'warning: comparison between signed and unsigned'.Gisle Vanem
2008-09-05- Introducing CURLOPT_CERTINFO and the corresponding CURLINFO_CERTINFO. ByDaniel Stenberg
enabling this feature with CURLOPT_CERTINFO for a request using SSL (HTTPS or FTPS), libcurl will gather lots of server certificate info and that info can then get extracted by a client after the request has completed with curl_easy_getinfo()'s CURLINFO_CERTINFO option. Linus Nielsen Feltzing helped me test and smoothen out this feature. Unfortunately, this feature currently only works with libcurl built to use OpenSSL. This feature was sponsored by networking4all.com - thanks!
2008-07-30- PHP's bug report #43158 (http://bugs.php.net/bug.php?id=43158) identifies aDaniel Stenberg
true bug in libcurl built with OpenSSL. It made curl_easy_getinfo() more or less always return 0 for CURLINFO_SSL_VERIFYRESULT because the function that would set it to something non-zero would return before the assign in almost all error cases. The internal variable is now set to non-zero from the start of the function only to get cleared later on if things work out fine.
2008-06-11- I did a cleanup of the internal generic SSL layer and how the various SSLDaniel Stenberg
libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions.
2008-06-11fix compiler warning: conversion from `pointer to void' to `pointer to intYang Tse
function(pointer to char,int,int,pointer to void)' is compiler dependent
2008-06-10- I made the OpenSSL code build again with OpenSSL 0.9.6. The CRLFILEDaniel Stenberg
functionality killed it due to its unconditional use of X509_STORE_set_flags...
2008-06-06- Axel Tillequin and Arnaud Ebalard added support for CURLOPT_ISSUERCERT, forDaniel Stenberg
OpenSSL, NSS and GnuTLS-built libcurls.
2008-06-06- Axel Tillequin and Arnaud Ebalard added support for CURLOPT_CRLFILE, forDaniel Stenberg
OpenSSL, NSS and GnuTLS-built libcurls.
2008-05-26fix: preprocessor complaining about macro redefinitionYang Tse
2008-05-09- Make Curl_write and it's callees accept a const pointer, in preparationMichal Marek
of tetetest's patch for curl_easy_send()
2008-04-14- Stefan Krause reported a case where the OpenSSL handshake phase wasn'tDaniel Stenberg
properly acknowledging the timeout values, like if you pulled the network plug in the midst of it.
2008-02-26Added support for server name indication (RFC 4366).Gunter Knauf
Patch submitted by Kaspar Brand.
2008-02-23- Sam Listopad provided a patch in feature-request #1900014Daniel Stenberg
http://curl.haxx.se/bug/feature.cgi?id=1900014 that makes libcurl (built to use OpenSSL) support a full chain of certificates in a given PKCS12 certificate.
2008-02-20- Based on initial work done by Gautam Kachroo to address a bug, we now keepDaniel Stenberg
better control at the exact state of the connection's SSL status so that we know exactly when it has completed the SSL negotiation or not so that there won't be accidental re-uses of connections that are wrongly believed to be in SSL-completed-negotiate state.
2008-02-19applied patch to disable SSLv2 by default; discussion:Gunter Knauf
http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976 Submitted by Kaspar Brand.
2008-02-07- Refactored a lot of timeout code into a few functions in an attempt to makeDaniel Stenberg
them all use the same (hopefully correct) logic to make it less error-prone and easier to introduce library-wide where it should be used.
2008-01-15Calls to Curl_failf() are not supposed to provide a trailing newline as theDaniel Stenberg
function itself adds that. Fixed on 50 or something strings!
2007-12-08All static functions that were previously name Curl_* something no longerDaniel Stenberg
use that prefix as we use that prefix only for library-wide internal global symbols.