Age | Commit message (Collapse) | Author |
|
...as otherwise the TLS libs will skip the CN/SAN check and just allow
connection to any server. curl previously skipped this function when SNI
wasn't used or when connecting to an IP address specified host.
CVE-2016-3739
Bug: https://curl.haxx.se/docs/adv_20160518A.html
Reported-by: Moti Avrahami
|
|
Only protocols that actually have a protocol registered for ALPN and NPN
should try to get that negotiated in the TLS handshake. That is only
HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
would wrongly be used in all handshakes if libcurl was built with it
enabled.
Reported-by: Jay Satiro
Fixes #789
|
|
This also fixes PolarSSL session resume.
Prior to this change the TLS session information wasn't properly
saved and restored for PolarSSL and mbedTLS.
Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
Reported-by: Thomas Glanzmann
Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
Reported-by: Moti Avrahami
|
|
|
|
|
|
... as otherwise we might get stuck thinking there's no more data to
handle.
Reported-by: Damien Vielpeau
Fixes #737
|
|
|
|
mbedtls_ is the prefix used by the mbedTLS library itself so we should
avoid using that for our private functions.
|
|
|
|
vtls/mbedtls.h:67:36: warning: implicit declaration of function
‘mbedtls_sha256’ [-Wimplicit-function-declaration]
|
|
Prior to this change when a single protocol CURL_SSLVERSION_ was
specified by the user that version was set only as the minimum version
but not as the maximum version as well.
|
|
|
|
Closes #626
|
|
Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.
Closes #642
|
|
|
|
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.
The callback method had three problems:
1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.
2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.
3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.
Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.
Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
|
|
|
|
- Fix ALPN reply detection.
- Wrap nghttp2 code in ifdef USE_NGHTTP2.
Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
|
|
... and stick to 1.1 for HTTP. This is in line with what browsers do and
should have very little risk.
|
|
CID 1332129
|
|
CID 1332128
|
|
Global private symbols MUST start with Curl_!
|
|
Closes #505
|
|
Closes #502
|
|
closes #496
|