aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/darwinssl.c
AgeCommit message (Collapse)Author
2017-04-18TLS: Fix switching off SSL session id when client cert is usedJay Satiro
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl will each have their own sessionid flag. Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that this issue had been fixed in 247d890, CVE-2016-5419. Bug: https://github.com/curl/curl/issues/1341 Reported-by: lijian996@users.noreply.github.com The new incarnation of this bug is called CVE-2017-7468 and is documented here: https://curl.haxx.se/docs/adv_20170419.html
2017-03-18darwinssl: fix typo in variable namePalo Markovic
Broken a week ago in 6448f98. Closes https://github.com/curl/curl/pull/1337
2017-03-08vtls: add options to specify range of enabled TLS versionsJozef Kralik
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166
2017-03-02darwinssl: Warn that disabling host verify also disables SNIJDepooter
In DarwinSSL the SSLSetPeerDomainName function is used to enable both sending SNI and verifying the host. When host verification is disabled the function cannot be called, therefore SNI is disabled as well. Closes https://github.com/curl/curl/pull/1240
2017-02-07darwinssl: Avoid parsing certificates when not in verbose modeDaniel Gustafsson
The information extracted from the server certificates in step 3 is only used when in verbose mode, and there is no error handling or validation performed as that has already been done. Only run the certificate information extraction when in verbose mode and libcurl was built with verbose strings. Closes https://github.com/curl/curl/pull/1246
2017-01-12rand: make it work without TLS backingDaniel Stenberg
Regression introduced in commit f682156a4fc6c4 Reported-by: John Kohl Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
2017-01-03darwinssl: --insecure overrides --cacert if both settings are in useNick Zitzmann
Fixes #1184
2016-12-27darwinssl: fix CFArrayRef leakChris Araman
Reviewed-by: Nick Zitzmann Closes #1173
2016-12-27darwinssl: fix iOS buildChris Araman
Reviewed-by: Nick Zitzmann Fixes #1172
2016-12-13checksrc: stricter no-space-before-paren enforcementDaniel Stenberg
In order to make the code style more uniform everywhere
2016-11-24checksrc: move open braces to comply with function declaration styleDaniel Stenberg
2016-11-24checksrc: white space edits to comply to stricter checksrcDaniel Stenberg
2016-11-24HTTPS-proxy: fixed mbedtls and polishingOkhin Vasilij
2016-11-24darwinssl: adopted to the HTTPS proxy changesDaniel Stenberg
It builds and runs all test cases. No adaptations for actual HTTPS proxy support has been made.
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-15darwinssl: fix SSL client certificate not found on MacOS SierraDavid Schweikert
Reviewed-by: Nick Zitzmann Closes #1105
2016-11-09vtls: Fail on unrecognized param for CURLOPT_SSLVERSIONJay Satiro
- Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the TLS 1.3 support was added in 6ad3add. - Homogenize across code for all backends the error message when TLS 1.3 is not available to "<backend>: TLS 1.3 is not yet supported". - Return an error when a user-specified ssl version is unrecognized. --- Prior to this change our code for some of the backends used the 'default' label in the switch statement (ie ver unrecognized) for ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT. Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html Reported-by: Kamil Dudka
2016-11-07vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3Kamil Dudka
Fully implemented with the NSS backend only for now. Reviewed-by: Ray Satiro
2016-10-18select: switch to macros in uppercaseDaniel Stenberg
Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-09-19darwinssl: Fix typo in commentDaniel Gustafsson
Closes https://github.com/curl/curl/pull/1028
2016-09-18darwinssl: disable RC4 cipher-suite supportNick Zitzmann
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-06darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)Daniel Gustafsson
While noErr and errSecSuccess are defined as the same value, the API documentation states that SecPKCS12Import() returns errSecSuccess if there were no errors in importing. Ensure that a future change of the defined value doesn't break (however unlikely) and be consistent with the API docs.
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-22vtls: Only call add/getsession if session id is enabledJay Satiro
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-05-13darwinssl.c: fix OS X codename typo in commentViktor Szakats
2016-05-12darwinssl: fix certificate verification disable on OS X 10.8Per Malmberg
The new way of disabling certificate verification doesn't work on Mountain Lion (OS X 10.8) so we need to use the old way in that version too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2 and 10.11. Closes #802
2016-04-19darwinssl: removed commented out codeDaniel Stenberg
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-03-21darwinsssl: add support for TLS False StartNick Zitzmann
TLS False Start support requires iOS 7.0 or later, or OS X 10.9 or later.
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-15By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"Nick Zitzmann