aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
AgeCommit message (Collapse)Author
2015-01-22OCSP stapling: disabled when build with BoringSSLDaniel Stenberg
2015-01-22openssl: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. Thanks-to: Joe Mason - for the work-around for the OpenSSL bug.
2015-01-22BoringSSL: no PKCS12 support nor ERR_remove_stateDaniel Stenberg
2015-01-22BoringSSL: fix buildLeith Bade
2015-01-19openssl: do public key pinning check independentlyDaniel Stenberg
... of the other cert verification checks so that you can set verifyhost and verifypeer to FALSE and still check the public key. Bug: http://curl.haxx.se/bug/view.cgi?id=1471 Reported-by: Kyle J. McKay
2014-12-28vtls: Fixed compilation warning and an ignored return codeSteve Holme
curl_schannel.h:123: warning: right-hand operand of comma expression has no effect Some instances of the curlssl_close_all() function were declared with a void return type whilst others as int. The schannel version returned CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the return code was ignored by the calling function Curl_ssl_close_all(). For the time being and to keep the internal API consistent, changed all declarations to use a void return type. To reduce code we might want to consider removing the unimplemented versions and use a void #define like schannel does.
2014-12-26vtls: Use CURLcode for Curl_ssl_init_certinfo() return typeSteve Holme
The return type for this function was 0 on success and 1 on error. This was then examined by the calling functions and, in most cases, used to return CURLE_OUT_OF_MEMORY. Instead use CURLcode for the return type and return the out of memory error directly, propagating it up the call stack.
2014-12-25vtls: Use bool for Curl_ssl_getsessionid() return typeSteve Holme
The return type of this function is a boolean value, and even uses a bool internally, so use bool in the function declaration as well as the variables that store the return value, to avoid any confusion.
2014-12-24openssl: Prefer we don't use NULL in comparisonsSteve Holme
2014-12-23openssl.c Fix for compilation errors with older versions of OpenSSLSteve Holme
openssl.c:1408: error: 'TLS1_1_VERSION' undeclared openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
2014-12-22openssl: fix SSL/TLS versions in verbose outputDaniel Stenberg
2014-12-22openssl: make it compile against openssl 1.1.0-DEV master branchDaniel Stenberg
2014-12-21openssl: warn for SRP set if SSLv3 is used, not for TLS versionDaniel Stenberg
... as it requires TLS and it was was left to warn on the default from when default was SSL...
2014-12-09http2: avoid logging neg "failure" if h2 was not requestedDaniel Stenberg
2014-11-02openssl: Use 'CURLcode result'Steve Holme
More CURLcode fixes.
2014-11-01openssl: Use 'CURLcode result'Steve Holme
More standardisation of CURLcode usage and coding style.
2014-11-01openssl: Use 'CURLcode result'Steve Holme
...and some minor code style changes.
2014-10-30code cleanup: Use 'CURLcode result'Steve Holme
2014-10-29openssl: enable NPN separately from ALPNDaniel Stenberg
... and allow building with nghttp2 but completely without NPN and ALPN, as nghttp2 can still be used for plain-text HTTP. Reported-by: Lucas Pardue
2014-10-29openssl: fix a line length warningKamil Dudka
2014-10-29Fixed error message since we require ALPN support.Guenter Knauf
2014-10-29Check for ALPN via OpenSSL version number.Guenter Knauf
This check works also with to non-configure platforms.
2014-10-24SSL: Remove SSLv3 from SSL default due to POODLE attackJay Satiro
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
2014-10-13pinning: minor code style policingDaniel Stenberg
2014-10-13Factorize pinned public key code into generic file handling and backend specificPatrick Monnerat
2014-10-07SSL: implement public key pinningmoparisthebest
Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
2014-09-10openssl: build fix for versions < 0.9.8ePaul Howarth
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-08-22openssl.c: Fixed longer than 79 columnsSteve Holme
2014-08-21openssl.c: Fixed compilation warningSteve Holme
warning: declaration of 'minor' shadows a global declaration
2014-08-13openssl: fix version report for the 0.9.8 branchJose Alf
Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8, starting from openssl-0.9.8za.
2014-08-07openssl: replace call to OPENSSL_configDaniel Stenberg
OPENSSL_config() is "strongly recommended" to use but unfortunately that function makes an exit() call on wrongly formatted config files which makes it hard to use in some situations. OPENSSL_config() itself calls CONF_modules_load_file() and we use that instead and we ignore its return code! Reported-by: Jan Ehrhardt Bug: http://curl.haxx.se/bug/view.cgi?id=1401
2014-08-05Curl_ossl_version: adapted to detect BoringSSLDaniel Stenberg
This seems to be the way it should work. Right now we can't build with BoringSSL and try this out properly due to a minor API breakage.
2014-08-04Curl_ossl_version: detect and show libresslDaniel Stenberg
LibreSSL is otherwise OpenSSL API compliant (so far)
2014-08-01openssl: make ossl_send return CURLE_OK betterDaniel Stenberg
Previously it only returned a CURLcode for errors, which is when it returns a different size than what was passed in to it. The http2 code only checked the curlcode and thus failed.
2014-07-30vtls: make the random function mandatory in the TLS backendDaniel Stenberg
To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-06-03Curl_ossl_init: call OPENSSL_config for initing enginesDaniel Stenberg
Bug: http://curl.haxx.se/mail/lib-2014-06/0003.html Reported-by: Дмитрий Фалько
2014-05-23openssl: Fix uninitialized variable use in NPN callbackTatsuhiro Tsujikawa
OpenSSL passes out and outlen variable uninitialized to select_next_proto_cb callback function. If the callback function returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled values in out and outlen and processes as such. Previously, if there is no overlap in protocol lists, curl code does not fill any values in these variables and returns SSL_TLSEXT_ERR_OK, which means we are triggering undefined behavior. valgrind warns this. This patch fixes this issue by fallback to HTTP/1.1 if there is no overlap.
2014-05-15CURLINFO_SSL_VERIFYRESULT: assign at first connect callDaniel Stenberg
The variable wasn't assigned at all until step3 which would lead to a failed connect never assigning the variable and thus returning a bad value. Reported-by: Larry Lin Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
2014-05-12openssl: unbreak PKCS12 supportDaniel Stenberg
Regression introduced in ce362e8eb9c (7.31.0) Bug: http://curl.haxx.se/bug/view.cgi?id=1371 Reported-by: Dmitry
2014-05-04openssl: biomem->data is not zero terminatedDaniel Stenberg
So printf(%s) on it or reading before bounds checking is wrong, fixing it. Could previously lead to reading out of boundary. Reported-by: Török Edwin
2014-04-03http2+openssl: fix compiler warnings in ALPN using codeDaniel Stenberg
2014-03-31http2: let openssl mention the exact protocol negotiatedDaniel Stenberg
Remove a superfluous "negotiated http2" info line
2014-03-31http2: remove _DRAFT09 from the NPN_HTTP2 enumDaniel Stenberg
We're progressing throught drafts so there's no point in having a fixed one in a symbol that'll survive.
2014-03-10openssl: info massage with SSL version usedDaniel Stenberg
Patch-by: byte_bucket
2014-02-11openssl: honor --[no-]alpn|npn command line switchFabian Frank
Disable ALPN or NPN if requested by the user.
2014-02-04gtls: add ALPN supportFabian Frank
Add ALPN support when using GnuTLS >= 3.2.0. This allows libcurl to negotiate HTTP/2.0 for https connections when built with GnuTLS. See: http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029 http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-03openssl: add ALPN supportFabian Frank
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the server, who can respond with either one or none of the two. OpenSSL >= 1.0.2 is required, which means as of today obtaining a snapshot from ftp://ftp.openssl.org/snapshot/. See: http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04 https://github.com/openssl/openssl/blob/ba168244a14bbd056e502d7daa04cae4aabe9d0d/ssl/ssl_lib.c#L1787
2014-01-30http2-openssl: verify that NPN functionality is presentDaniel Stenberg
2014-01-30openssl: set up hooks with to perform NPNFabian Frank
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0 connections. It is expected to be replaced by ALPN in the future. If HTTP/2.0 is negotiated, this is indicated for the entire connection and http.c is expected to initialize itself for HTTP/2.0 instead of HTTP/1.1. see: http://technotes.googlecode.com/git/nextprotoneg.html http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-01-12OpenSSL: deselect weak ciphers by defaultDaniel Stenberg
By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges