aboutsummaryrefslogtreecommitdiff
path: root/lib/ssluse.c
AgeCommit message (Collapse)Author
2012-06-09OpenSSL: support longer certificate subject namesDaniel Stenberg
Previously it would use a 256 byte buffer and thus cut off very long subject names. The limit is now upped to the receive buffer size, 16K. Bug: http://curl.haxx.se/bug/view.cgi?id=3533045 Reported by: Anthony G. Basile
2012-04-23OpenSSL cert: provide more details when cert check failsGokhan Sengun
curl needs to be more chatty regarding certificate verification failure during SSL handshake
2012-04-01OpenSSL: Made cert hostname check conform to RFC 6125Tatsuhiro Tsujikawa
This change replaces RFC 2818 based hostname check in OpenSSL build with RFC 6125 [1] based one. The hostname check in RFC 2818 is ambiguous and each project implements it in the their own way and they are slightly different. I check curl, gnutls, Firefox and Chrome and they are all different. I don't think there is a bug in current implementation of hostname check. But it is not as strict as the modern browsers do. Currently, curl allows multiple wildcard character '*' and it matches '.'. (as described in the comment in ssluse.c). Firefox implementation is also based on RFC 2818 but it only allows at most one wildcard character and it must be in the left-most label in the pattern and the wildcard must not be followed by any character in the label.[2] Chromium implementation is based on RFC 6125 as my patch does. Firefox and Chromium both require wildcard in the left-most label in the presented identifier. This patch is more strict than the current implementation, so there may be some cases where old curl works but new one does not. But at the same time I think it is good practice to follow the modern browsers do and follow the newer RFC. [1] http://tools.ietf.org/html/rfc6125#section-6.4.3 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483
2012-03-22fix several compiler warningsYang Tse
2012-03-16fix some compiler warningsYang Tse
2012-02-09CURLOPT_SSL_OPTIONS: addedDaniel Stenberg
Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
2012-01-24OpenSSL: don't disable security work-aroundDaniel Stenberg
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
2012-01-19OpenSSL: follow-up for commit a20daf90e3Yang Tse
avoid checking preprocessor definition official value
2012-01-18OpenSSL: fix PKCS#12 certificate parsing related memory leakJohannes Bauer
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabledYang Tse
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-04OpenSSL: remove reference to openssl internal structPeter Sylvester
With this change, curl compiles with the new OPENSSL_NO_SSL_INTERN cflag. This flag might become the default in some distant future.
2011-12-06OpenSSL: check for the SSLv2 function in configureDaniel Stenberg
If no SSLv2 was detected in OpenSSL by configure, then we enforce the OPENSSL_NO_SSL2 define as it seems some people report it not being defined properly in the OpenSSL headers.
2011-11-04ssluse.c: fix calling of OpenSSL's ERR_remove_state(0)Yang Tse
Move calling of ERR_remove_state(0) a.k.a ERR_remove_thread_state(NULL) from Curl_ossl_close_all() to Curl_ossl_cleanup(). In this way ERR_remove_state(0) is now only called in libcurl by curl_global_cleanup(). Previously it would get called by functions curl_easy_cleanup(), curl_multi_cleanup and potentially each time a connection was removed from a connection cache leading to premature destruction of OpenSSL's thread local state hash. Multi-threaded apps using OpenSSL enabled libcurl should still call function ERR_remove_state(0) or ERR_remove_thread_state(NULL) at the very end end of threads that do not call curl_global_cleanup().
2011-10-11OOM handling/cleanup slight adjustmentsYang Tse
2011-10-07libcurl: some OOM handling fixesYang Tse
2011-09-05fix bool variables checking and assignmentYang Tse
2011-09-03fix a bunch of MSVC compiler warningsYang Tse
2011-08-07OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available, reduces memory useCristian Rodríguez
See also : http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html Signed-off-by: Cristian Rodríguez <crrodriguez@opensuse.org>
2011-07-26stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse
2011-06-04Curl_socket_ready: make timeout a 'long'Daniel Stenberg
It was mostly typecasted to int all over the code so switching to long instead all over should be a net gain.
2011-06-02OpenSSL enabled: require OPENSSL_VERSION_NUMBER definition before usage.Yang Tse
2011-05-21compiler warning: fixYang Tse
Fix compiler warning: enumerated type mixed with another type
2011-04-27source cleanup: unify look, style and indent levelsDaniel Stenberg
By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-21Fix a couple of spelling errors in lib/Fabian Keil
Found with codespell.
2011-04-20CURL_DOES_CONVERSIONS: cleanupDaniel Stenberg
Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c
2011-04-14Fix a buffer overflow in pubkey_show().Andrei Benea
2011-04-10OpenSSL: no-sslv2 awareDaniel Stenberg
Allow openSSL without SSL2 to be used. This fix is inspired by the fix provided by Cristian Rodríguez. Reported by: Cristian Rodríguez
2011-03-25TSL-SRP: enabled with OpenSSLPeter Sylvester
If a new enough OpenSSL version is used, configure detects the TLS-SRP support and enables it.
2011-02-10Call ERR_peek_error instead of ERR_peek_last_errorDan Fandrich
The latter isn't available in older OpenSSL versions, and is less useful since it returns the most recent error instead of the first one encountered.
2011-02-02ssluse: improved error message on SSL_CTX_new failuresBjoern Sikora
"SSL: couldn't create a context" really isn't that helpful, now it'll also extract an explanation from OpenSSL and append to the right.
2011-01-20Fixed compile using OpenSSL versions < 0.9.4aDarshan Mody
2011-01-04Curl_timeleft: s/conn/data in first argumentDaniel Stenberg
As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
2011-01-04get_cert_chain: support larger data setsDaniel Stenberg
512 bytes turned out too short for some data, so now we allocate a larger buffer instead Bug: http://curl.haxx.se/mail/archive-2011-01/0002.html
2011-01-01pubkey_show: allocate buffer to fit any-size resultDaniel Stenberg
The loop condition was wrong so keys larger than 340 bits would overflow the local stack-based buffer.
2010-12-23ossl_seed: no more RAND_screenDaniel Stenberg
RAND_screen() is slow, not thread-safe and not needed anymore since OpenSSL uses the thread-safe win32 CryptoAPI nowadays.
2010-12-06ossl_connect_common: detect connection re-useHeinrich Ko
ossl_connect_common() now checks whether or not 'struct connectdata->state' is equal 'ssl_connection_complete' and if so, will return CURLE_OK with 'done' set to 'TRUE'. This check prevents ossl_connect_common() from creating a new ssl connection on an existing ssl session which causes openssl to fail when it tries to parse an encrypted TLS packet since the cipher data was effectively thrown away when the new ssl connection was created. Bug: http://curl.haxx.se/mail/lib-2010-11/0169.html
2010-11-08fix compiler warningYang Tse
2010-11-05Revert: use Host: name for SNI and cert name checksDaniel Stenberg
This reverts commit b0fd03f5b8d4520dd232a9d13567d16bd0ad8951, 4b2fbe1e97891f, afecd1aa13b4f, 68cde058f66b3
2010-11-04certcheck: use the custom Host: name for checksDaniel Stenberg
If you use a custom Host: name in a request to a SSL server, libcurl will now use that given name when it verifies the server certificate to be correct rather than using the host name used in the actual URL.
2010-11-04SNI: simplify the custom host name useDaniel Stenberg
The redirect check is already done at the position where the customhost field is assigned so there's no point in doing that a second time.
2010-11-04host: get the custom Host: name more genericlyDaniel Stenberg
When given a custom host name in a Host: header, we can use it for several different purposes other than just cookies, so we rename it and use it for SSL SNI etc.
2010-11-04SNI: set name to custom Host headerHongli Lai (Phusion)
OpenSSL SNI host name should be set to the custom Host header, if the user provided one.
2010-09-12ssluse: removed redundant check that is always trueDaniel Stenberg
2010-08-01multi: fix FTPS connecting the data connection with OpenSSLDaniel Stenberg
Commit 496002ea1cd76af7f (released in 7.20.1) broke FTPS when using the multi interface and OpenSSL was used. The condition for the non-blocking connect was incorrect. Reported by: Georg Lippitsch Bug: http://curl.haxx.se/mail/lib-2010-07/0270.html
2010-06-05OpenSSL: fix spurious SSL connection abortsConstantine Sapuntzakis
Was seeing spurious SSL connection aborts using libcurl and OpenSSL. I tracked it down to uncleared error state on the OpenSSL error stack - patch attached deals with that. Rough idea of problem: Code that uses libcurl calls some library that uses OpenSSL but don't clear the OpenSSL error stack after an error. ssluse.c calls SSL_read which eventually gets an EWOULDBLOCK from the OS. Returns -1 to indicate an error ssluse.c calls SSL_get_error. First thing, SSL_get_error calls ERR_get_error to check the OpenSSL error stack, finds an old error and returns SSL_ERROR_SSL instead of SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. ssluse.c returns an error and aborts the connection Solution: Clear the openssl error stack before calling SSL_* operation if we're going to call SSL_get_error afterwards. Notes: This is much more likely to happen with multi because it's easier to intersperse other calls to the OpenSSL library in the same thread.
2010-05-14OpenSSL: multi interface handshake could hangDaniel Stenberg
John-Mark Bell filed bug #3000052 that identified a problem (with an associated patch) with the OpenSSL handshake state machine when the multi interface is used: Performing an https request using a curl multi handle and using select or epoll to wait for events results in a hang. It appears that the cause is the fix for bug #2958179, which makes ossl_connect_common unconditionally return from the step 2 loop when fetching from a multi handle. When ossl_connect_step2 has completed, it updates connssl->connecting_state to ssl_connect_3. ossl_connect_common will then return to the caller, as a multi handle is in use. Eventually, the client code will call curl_multi_fdset to obtain an updated fdset to select or epoll on. For https requests, curl_multi_fdset will cause https_getsock to be called. https_getsock will only return a socket handle if the connecting_state is ssl_connect_2_reading or ssl_connect_2_writing. Therefore, the client will never obtain a valid fdset, and thus not drive the multi handle, resulting in a hang. (http://curl.haxx.se/bug/view.cgi?id=3000052)
2010-05-11sendrecv: make them two pairs of send/recv to properly deal with FTPSHoward Chu
FTP(S) use two connections that can be set to different recv and send functions independently, so by introducing recv+send pairs in the same manner we already have sockets/connections we can work with FTPS fine. This commit fixes the FTPS regression introduced in change d64bd82.
2010-05-07sendrecv: split the I/O handling into private handlerHoward Chu
Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
2010-04-04refactorize interface of Curl_ssl_recv/Curl_ssl_sendKamil Dudka
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg