aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2014-12-21openssl: warn for SRP set if SSLv3 is used, not for TLS versionDaniel Stenberg
... as it requires TLS and it was was left to warn on the default from when default was SSL...
2014-12-15darwinssl: fix incorrect usage of aprintf()Nick Zitzmann
Commit b13923f changed an snprintf() to use aprintf(), but the API usage wasn't correct, and was causing a crash to occur. This fixes it.
2014-12-14darwinssl: aprintf() to allocate the session keyDaniel Stenberg
... to avoid using a fixed memory size that risks being too large or too small.
2014-12-14curl_schannel: Improvements to memory re-allocation strategyMarc Hoersken
- do not grow memory by doubling its size - do not leak previously allocated memory if reallocation fails - replace while-loop with a single check to make sure that the requested amount of data fits into the buffer Bug: http://curl.haxx.se/bug/view.cgi?id=1450 Reported-by: Warren Menzer
2014-12-14curl_schannel.c: Data may be available before connection shutdownMarc Hoersken
2014-12-09schannel_recv: return the correct codeDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1462 Reported-by: Tae Hyoung Ahn
2014-12-09http2: avoid logging neg "failure" if h2 was not requestedDaniel Stenberg
2014-12-03NSS: enable the CAPATH optionDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1457 Patch-by: Tomasz Kojm
2014-11-24SSL: Add PEM format support for public key pinningmoparisthebest
2014-11-09vtls.h: Fixed compiler warning when compiled without SSLSteve Holme
vtls.c:185:46: warning: unused parameter 'data'
2014-11-04SSL: PolarSSL default min SSL version TLS 1.0Jay Satiro
- Prior to this change no SSL minimum version was set by default at runtime for PolarSSL. Therefore in most cases PolarSSL would probably have defaulted to a minimum version of SSLv3 which is no longer secure.
2014-11-02openssl: Use 'CURLcode result'Steve Holme
More CURLcode fixes.
2014-11-01openssl: Use 'CURLcode result'Steve Holme
More standardisation of CURLcode usage and coding style.
2014-11-01openssl: Use 'CURLcode result'Steve Holme
...and some minor code style changes.
2014-10-30code cleanup: Use 'CURLcode result'Steve Holme
2014-10-29openssl: enable NPN separately from ALPNDaniel Stenberg
... and allow building with nghttp2 but completely without NPN and ALPN, as nghttp2 can still be used for plain-text HTTP. Reported-by: Lucas Pardue
2014-10-29vtls.c: Fixed compilation warningSteve Holme
conversion from 'size_t' to 'unsigned int', possible loss of data
2014-10-29nss: drop the code for libcurl-level downgrade to SSLv3Kamil Dudka
This code was already deactivated by commit ec783dc142129d3860e542b443caaa78a6172d56.
2014-10-29openssl: fix a line length warningKamil Dudka
2014-10-29Fixed error message since we require ALPN support.Guenter Knauf
2014-10-29Check for ALPN via OpenSSL version number.Guenter Knauf
This check works also with to non-configure platforms.
2014-10-24darwinssl: detect possible future removal of SSLv3 from the frameworkNick Zitzmann
If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
2014-10-24gskit.c: remove SSLv3 from SSL default.Patrick Monnerat
2014-10-24gskit.c: use 'CURLcode result'Patrick Monnerat
2014-10-24SSL: Remove SSLv3 from SSL default due to POODLE attackJay Satiro
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
2014-10-24code cleanup: we prefer 'CURLcode result'Daniel Stenberg
... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23gnutls: removed dead codeDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1437 Reported-by: Julien
2014-10-23Curl_rand: Uninitialized variable: rDaniel Stenberg
This is not actually used uninitialized but we silence warnings. Bug: http://curl.haxx.se/bug/view.cgi?id=1437 Reported-by: Julien
2014-10-20nss: reset SSL handshake state machineKamil Dudka
... when the handshake succeeds This fixes a connection failure when FTPS handle is reused.
2014-10-14Implement pinned public key in GSKit backendPatrick Monnerat
2014-10-13pinning: minor code style policingDaniel Stenberg
2014-10-13Factorize pinned public key code into generic file handling and backend specificPatrick Monnerat
2014-10-13vtls: remove QsoSSLPatrick Monnerat
2014-10-13gskit: supply dummy randomization functionPatrick Monnerat
2014-10-13vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementationPatrick Monnerat
2014-10-09vtls: have vtls.h include the backend header filesDaniel Stenberg
It turned out some features were not enabled in the build since for example url.c #ifdefs on features that are defined on a per-backend basis but vtls.h didn't include the backend headers. CURLOPT_CERTINFO was one such feature that was accidentally disabled.
2014-10-08nss: do not fail if a CRL is already cachedKamil Dudka
This fixes a copy-paste mistake from commit 2968f957.
2014-10-07GnuTLS: Implement public key pinningmoparisthebest
2014-10-07SSL: implement public key pinningmoparisthebest
Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
2014-10-04curl_schannel.c: Fixed possible memory or handle leakMarc Hoersken
First try to fix possible memory leaks, in this case: Only connssl->ctxt xor onnssl->cred being initialized.
2014-09-13curlssl: make tls backend symbols use curlssl in the nameDaniel Stenberg
2014-09-13url: let the backend decide CURLOPT_SSL_CTX_ supportDaniel Stenberg
... to further remove specific TLS backend knowledge from url.c
2014-09-13vtls: have the backend tell if it supports CERTINFODaniel Stenberg
2014-09-13CURLOPT_CAPATH: return failure if set without backend supportDaniel Stenberg
2014-09-10openssl: build fix for versions < 0.9.8ePaul Howarth
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-09-08polarassl: avoid memset() when clearing the first byte is enoughDaniel Stenberg
2014-09-08polarssl: support CURLOPT_CAPATH / --capathCatalin Patulea
Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
2014-09-04darwinssl: Use CopyCertSubject() to check CA cert.Vilmos Nebehaj
SecCertificateCopyPublicKey() is not available on iPhone. Use CopyCertSubject() instead to see if the certificate returned by SecCertificateCreateWithData() is valid. Reported-by: Toby Peterson
2014-09-01polarssl: implement CURLOPT_SSLVERSIONAndre Heinecke
Forwards the setting as minimum ssl version (if set) to polarssl. If the server does not support the requested version the SSL Handshake will fail. Bug: http://curl.haxx.se/bug/view.cgi?id=1419
2014-09-01Check CA certificate in curl_darwinssl.c.Vilmos Nebehaj
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even if the buffer holds an invalid or corrupt certificate. Call SecCertificateCopyPublicKey() to make sure cacert is a valid certificate.