aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
AgeCommit message (Collapse)Author
2015-07-14openssl: VMS support for SHA256John Malmberg
setup-vms.h: More symbols for SHA256, hacks for older VAX openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX. openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to allow building on VAX and 64 bit VMS.
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-06-18openssl: fix use of uninitialized bufferDaniel Stenberg
Make sure that the error buffer is always initialized and simplify the use of it to make the logic easier. Bug: https://github.com/bagder/curl/issues/318 Reported-by: sneis
2015-06-18openssl: fix build with BoringSSLDaniel Stenberg
OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression from cae43a1
2015-06-17openssl: Fix build with openssl < ~ 0.9.8fPaul Howarth
The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks builds with older openssls (certainly with 0.9.8b, which is the latest older version I have to try with).
2015-06-08openssl: LibreSSL and BoringSSL do not use TLS_client_methodJay Satiro
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of TLS_client_method LibreSSL and BoringSSL didn't and still use SSLv23_client_method. Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009 Reported-by: asavah@users.noreply.github.com
2015-06-07openssl: Fix verification of server-sent legacy intermediatesJay Satiro
- Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Prior to this change server-sent legacy intermediates with missing legacy issuers would cause verification to fail even if the client's CA bundle contained a valid replacement for the intermediate and an alternate chain could be constructed that would verify successfully. https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2015-06-05openssl: removed error string #ifdefDaniel Stenberg
ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
2015-06-05openssl: removed USERDATA_IN_PWD_CALLBACK kludgeDaniel Stenberg
Code for OpenSSL 0.9.4 serves no purpose anymore!
2015-06-05openssl: remove SSL_get_session()-using codeDaniel Stenberg
It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or later.
2015-06-05openssl: remove dummy callback use from SSL_CTX_set_verify()Daniel Stenberg
The existing callback served no purpose.
2015-06-01curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXTJay Satiro
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
2015-05-27openssl: typo in commentDaniel Melani
2015-05-27openssl: Use TLS_client_method for OpenSSL 1.1.0+Jay Satiro
SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The equivalent is TLS_client_method. https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
2015-05-19openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_argBrian Prodoehl
BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and OpenSSL. re #275
2015-05-04OpenSSL: conditional check for SSL3_RT_HEADERDaniel Stenberg
The symbol is fairly new. Reported-by: Kamil Dudka
2015-05-04openssl: skip trace outputs for ssl_ver == 0Daniel Stenberg
The OpenSSL trace callback is wonderfully undocumented but given a journey in the source code, it seems the cases were ssl_ver is zero doesn't follow the same pattern and thus turned out confusing and misleading. For now, we skip doing any CURLINFO_TEXT logging on those but keep sending them as CURLINFO_SSL_DATA_OUT/IN. Also, I added direction to the text info and I edited some functions slightly. Bug: https://github.com/bagder/curl/issues/219 Reported-by: Jay Satiro, Ashish Shukla
2015-04-26Curl_ossl_init: load builtin modulesDaniel Stenberg
To have engine modules work, we must tell openssl to load builtin modules first. Bug: https://github.com/bagder/curl/pull/206
2015-04-26openssl: fix serial number outputDaniel Stenberg
The code extracting the cert serial number was broken and didn't display it properly. Bug: https://github.com/bagder/curl/issues/235 Reported-by: dkjjr89
2015-04-21openssl: add OPENSSL_NO_SSL3_METHOD checkbyronhe
2015-04-19vtls/openssl: use https in URLs and a comment typo fixedViktor Szakáts
2015-04-13vtls_openssl: improve PKCS#12 load failure error messageMatthew Hall
2015-04-13vtls_openssl: fix minor typo in PKCS#12 load routineMatthew Hall
2015-04-13vtls_openssl: improve client certificate load failure error messagesMatthew Hall
2015-04-13vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constantMatthew Hall
2015-03-24curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich
This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-24openssl: do the OCSP work-around for libressl tooDaniel Stenberg
I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to still require the work-around for stapling to work.
2015-03-24openssl: verifystatus: only use the OCSP work-around <= 1.0.2aDaniel Stenberg
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html Reported-by: Alessandro Ghedini
2015-03-24openssl: adapt to ASN1/X509 things gone opaque in 1.1Daniel Stenberg
2015-03-20openssl: try to avoid accessing OCSP structs when possibleAlessandro Ghedini
2015-03-17checksrc: detect and remove space before trailing semicolonsDaniel Stenberg
2015-03-17checksrc: use space after commaDaniel Stenberg
2015-03-12openssl: show the cipher selection to useDaniel Stenberg
2015-03-07http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*Daniel Stenberg
Since they already exist and will make comparing easier
2015-03-07openssl: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-05openssl: remove all uses of USE_SSLEAYDaniel Stenberg
SSLeay was the name of the library that was subsequently turned into OpenSSL many moons ago (1999). curl does not work with the old SSLeay library since years. This is now reflected by only using USE_OPENSSL in code that depends on OpenSSL.
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-12openssl: fix a compile-time warningKamil Dudka
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
2015-02-11openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detectionSteve Holme
For consistency with other conditionally compiled code in openssl.c, use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are not included.
2015-02-09openssl: Disable OCSP in old versions of OpenSSLSteve Holme
Versions of OpenSSL prior to v0.9.8h do not support the necessary functions for OCSP stapling.
2015-02-05openssl: SSL_SESSION->ssl_version no longer existDaniel Stenberg
The struct went private in 1.0.2 so we cannot read the version number from there anymore. Use SSL_version() instead! Reported-by: Gisle Vanem Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
2015-01-27openssl: Fixed Curl_ossl_cert_status_request() not returning FALSESteve Holme
Modified the Curl_ossl_cert_status_request() function to return FALSE when built with BoringSSL or when OpenSSL is missing the necessary TLS extensions.
2015-01-27openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'Steve Holme
Fixed the build of openssl.c when OpenSSL is built without the necessary TLS extensions for OCSP stapling. Reported-by: John E. Malmberg
2015-01-22OCSP stapling: disabled when build with BoringSSLDaniel Stenberg
2015-01-22openssl: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. Thanks-to: Joe Mason - for the work-around for the OpenSSL bug.
2015-01-22BoringSSL: no PKCS12 support nor ERR_remove_stateDaniel Stenberg
2015-01-22BoringSSL: fix buildLeith Bade
2015-01-19openssl: do public key pinning check independentlyDaniel Stenberg
... of the other cert verification checks so that you can set verifyhost and verifypeer to FALSE and still check the public key. Bug: http://curl.haxx.se/bug/view.cgi?id=1471 Reported-by: Kyle J. McKay
2014-12-28vtls: Fixed compilation warning and an ignored return codeSteve Holme
curl_schannel.h:123: warning: right-hand operand of comma expression has no effect Some instances of the curlssl_close_all() function were declared with a void return type whilst others as int. The schannel version returned CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the return code was ignored by the calling function Curl_ssl_close_all(). For the time being and to keep the internal API consistent, changed all declarations to use a void return type. To reduce code we might want to consider removing the unimplemented versions and use a void #define like schannel does.
2014-12-26vtls: Use CURLcode for Curl_ssl_init_certinfo() return typeSteve Holme
The return type for this function was 0 on success and 1 on error. This was then examined by the calling functions and, in most cases, used to return CURLE_OUT_OF_MEMORY. Instead use CURLcode for the return type and return the out of memory error directly, propagating it up the call stack.