Age | Commit message (Collapse) | Author |
|
sk_X509_pop will decrease the size of the stack which means that the loop would
end after having added only half of the certificates.
Also make sure that the X509 certificate is freed in case
SSL_CTX_add_extra_chain_cert fails.
|
|
- Change algorithm init to happen after OpenSSL config load.
Additional algorithms may be available due to the user's config so we
initialize the algorithms after the user's config is loaded.
Bug: https://github.com/bagder/curl/issues/447
Reported-by: Denis Feklushkin
|
|
Add a "pinnedpubkey" section to the "Server Certificate" verbose
Bug: https://github.com/bagder/curl/issues/410
Reported-by: W. Mark Kubacki
Closes #430
Closes #410
|
|
|
|
Fixes #427
|
|
... without sha256 support and no define saying so.
Reported-by: Rajkumar Mandal
|
|
If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
doesn't present a certificate at all.
Closes #392
|
|
MSVC 12 complains:
lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
variable 'verstr' used It's a false positive, but as it's normally not,
I have enabled warning-as-error for that warning.
|
|
setup-vms.h: More symbols for SHA256, hacks for older VAX
openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
allow building on VAX and 64 bit VMS.
|
|
|
|
Make sure that the error buffer is always initialized and simplify the
use of it to make the logic easier.
Bug: https://github.com/bagder/curl/issues/318
Reported-by: sneis
|
|
OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
from cae43a1
|
|
The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
builds with older openssls (certainly with 0.9.8b, which is the latest
older version I have to try with).
|
|
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
TLS_client_method LibreSSL and BoringSSL didn't and still use
SSLv23_client_method.
Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
Reported-by: asavah@users.noreply.github.com
|
|
- Try building a chain using issuers in the trusted store first to avoid
problems with server-sent legacy intermediates.
Prior to this change server-sent legacy intermediates with missing
legacy issuers would cause verification to fail even if the client's CA
bundle contained a valid replacement for the intermediate and an
alternate chain could be constructed that would verify successfully.
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
|
ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
|
|
Code for OpenSSL 0.9.4 serves no purpose anymore!
|
|
It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
later.
|
|
The existing callback served no purpose.
|
|
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
This change is to explicitly specify when we need to read/write text.
Unfortunately 't' is not part of POSIX fopen so we can't specify it
directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
Prior to this change we had an issue on Windows if an application that
uses libcurl overrides the default file mode to binary. The default file
mode in Windows is normally text mode (translation mode) and that's what
libcurl expects.
Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
Reported-by: Orgad Shaneh
|
|
|
|
SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
equivalent is TLS_client_method.
https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
|
|
BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
OpenSSL.
re #275
|
|
The symbol is fairly new.
Reported-by: Kamil Dudka
|
|
The OpenSSL trace callback is wonderfully undocumented but given a
journey in the source code, it seems the cases were ssl_ver is zero
doesn't follow the same pattern and thus turned out confusing and
misleading. For now, we skip doing any CURLINFO_TEXT logging on those
but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
Also, I added direction to the text info and I edited some functions
slightly.
Bug: https://github.com/bagder/curl/issues/219
Reported-by: Jay Satiro, Ashish Shukla
|
|
To have engine modules work, we must tell openssl to load builtin
modules first.
Bug: https://github.com/bagder/curl/pull/206
|
|
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
|
|
I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
still require the work-around for stapling to work.
|
|
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
Reported-by: Alessandro Ghedini
|
|
|
|
|
|
|
|
|
|
|
|
Since they already exist and will make comparing easier
|
|
|
|
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
|
|
No need to use _MPRINTF_REPLACE internally.
|
|
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
|
|
For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.
|
|
Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
|
|
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!
Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
|
|
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
|