aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2015-03-12openssl: sort the ciphers on strengthDaniel Stenberg
This makes curl pick better (stronger) ciphers by default. The strongest available ciphers are fine according to the HTTP/2 spec so an OpenSSL built curl is no longer rejected by string HTTP/2 servers. Bug: http://curl.haxx.se/bug/view.cgi?id=1487
2015-03-12openssl: show the cipher selection to useDaniel Stenberg
2015-03-10gtls: correctly align certificate status verification messagesAlessandro Ghedini
2015-03-10gtls: don't print double newline after certificate datesAlessandro Ghedini
2015-03-10gtls: print negotiated TLS version and full cipher suite nameAlessandro Ghedini
Instead of priting cipher and MAC algorithms names separately, print the whole cipher suite string which also includes the key exchange algorithm, along with the negotiated TLS version.
2015-03-10gtls: fix compiler warningsDaniel Stenberg
2015-03-10gtls: add support for CURLOPT_CAPATHAlessandro Ghedini
2015-03-07http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*Daniel Stenberg
Since they already exist and will make comparing easier
2015-03-07polarssl: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-07nss: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-07gtls: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-07openssl: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-05openssl: remove all uses of USE_SSLEAYDaniel Stenberg
SSLeay was the name of the library that was subsequently turned into OpenSSL many moons ago (1999). curl does not work with the old SSLeay library since years. This is now reflected by only using USE_OPENSSL in code that depends on OpenSSL.
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-25nss: do not skip Curl_nss_seed() if data is NULLKamil Dudka
In that case, we only skip writing the error message for failed NSS initialization (while still returning the correct error code).
2015-02-25nss: improve error handling in Curl_nss_random()Kamil Dudka
The vtls layer now checks the return value, so it is no longer necessary to abort if a random number cannot be provided by NSS. This also fixes the following Coverity report: Error: FORWARD_NULL (CWE-476): lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null. lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it. lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
2015-02-19nss: fix NPN/ALPN protocol negotiationAlessandro Ghedini
Correctly check for memcmp() return value (it returns 0 if the strings match). This is not really important, since curl is going to use http/1.1 anyway, but it's still a bug I guess.
2015-02-19polarssl: fix ALPN protocol negotiationAlessandro Ghedini
Correctly check for strncmp() return value (it returns 0 if the strings match).
2015-02-19gtls: fix build with HTTP2Alessandro Ghedini
2015-02-15By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"Nick Zitzmann
2015-02-12openssl: fix a compile-time warningKamil Dudka
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
2015-02-11openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detectionSteve Holme
For consistency with other conditionally compiled code in openssl.c, use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are not included.
2015-02-09openssl: Disable OCSP in old versions of OpenSSLSteve Holme
Versions of OpenSSL prior to v0.9.8h do not support the necessary functions for OCSP stapling.
2015-02-09polarssl: Fix exclusive SSL protocol version optionsJay Satiro
Prior to this change the options for exclusive SSL protocol versions did not actually set the protocol exclusive. http://curl.haxx.se/mail/lib-2015-01/0002.html Reported-by: Dan Fandrich
2015-02-09gskit: Fix exclusive SSLv3 optionJay Satiro
2015-02-07schannel: Removed curl_ prefix from source filesSteve Holme
Removed the curl_ prefix from the schannel source files as discussed with Marc and Daniel at FOSDEM.
2015-02-06axtls: fix conversion from size_t to int warningDaniel Stenberg
2015-02-05openssl: SSL_SESSION->ssl_version no longer existDaniel Stenberg
The struct went private in 1.0.2 so we cannot read the version number from there anymore. Use SSL_version() instead! Reported-by: Gisle Vanem Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
2015-02-04schannel: Prefer 'CURLcode result' for curl result codesSteve Holme
2015-01-31TODO: moved WinSSL/SChannel todo items into docsMarc Hoersken
2015-01-27openssl: Fixed Curl_ossl_cert_status_request() not returning FALSESteve Holme
Modified the Curl_ossl_cert_status_request() function to return FALSE when built with BoringSSL or when OpenSSL is missing the necessary TLS extensions.
2015-01-27openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'Steve Holme
Fixed the build of openssl.c when OpenSSL is built without the necessary TLS extensions for OCSP stapling. Reported-by: John E. Malmberg
2015-01-22OCSP stapling: disabled when build with BoringSSLDaniel Stenberg
2015-01-22openssl: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. Thanks-to: Joe Mason - for the work-around for the OpenSSL bug.
2015-01-22BoringSSL: no PKCS12 support nor ERR_remove_stateDaniel Stenberg
2015-01-22BoringSSL: fix buildLeith Bade
2015-01-19openssl: do public key pinning check independentlyDaniel Stenberg
... of the other cert verification checks so that you can set verifyhost and verifypeer to FALSE and still check the public key. Bug: http://curl.haxx.se/bug/view.cgi?id=1471 Reported-by: Kyle J. McKay
2015-01-17gskit.h: Code policing of function pointer argumentsSteve Holme
2015-01-17vtls: Removed unimplemented overrides of curlssl_close_all()Steve Holme
Carrying on from commit 037cd0d991, removed the following unimplemented instances of curlssl_close_all(): Curl_axtls_close_all() Curl_darwinssl_close_all() Curl_cyassl_close_all() Curl_gskit_close_all() Curl_gtls_close_all() Curl_nss_close_all() Curl_polarssl_close_all()
2015-01-17vtls: Separate the SSL backend definition from the API setupSteve Holme
Slight code cleanup as the SSL backend #define is mixed up with the API function setup.
2015-01-17vtls: Fixed compilation errors when SSL not usedSteve Holme
Fixed the following warning and error from commit 3af90a6e19 when SSL is not being used: url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined; assuming extern returning int error LNK2019: unresolved external symbol Curl_ssl_cert_status_request referenced in function Curl_setopt
2015-01-16copyright years: after OCSP stapling changesDaniel Stenberg
2015-01-16nss: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires NSS 3.15 or higher.
2015-01-16gtls: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP response verfication to fail even on valid responses.
2015-01-16url: add CURLOPT_SSL_VERIFYSTATUS optionAlessandro Ghedini
This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension.
2015-01-12curl_schannel.c: mark session as removed from cache if not freedMarc Hoersken
If the session is still used by active SSL/TLS connections, it cannot be closed yet. Thus we mark the session as not being cached any longer so that the reference counting mechanism in Curl_schannel_shutdown is used to close and free the session. Reported-by: Jean-Francois Durand
2015-01-09NSS: fix compiler error when built http2-enabledDaniel Stenberg
2015-01-07darwinssl: fix session ID keys to only reuse identical sessionsDaniel Stenberg
...to avoid a session ID getting cached without certificate checking and then after a subsequent _enabling_ of the check libcurl could still re-use the session done without cert checks. Bug: http://curl.haxx.se/docs/adv_20150108A.html Reported-by: Marc Hesse
2014-12-30vtls: Use '(void) arg' for unused parametersSteve Holme
Prefer void for unused parameters, rather than assigning an argument to itself as a) unintelligent compilers won't optimize it out, b) it can't be used for const parameters, c) it will cause compilation warnings for clang with -Wself-assign and d) is inconsistent with other areas of the curl source code.
2014-12-30schannel: Moved the ISC return flag definitions to the SSPI moduleSteve Holme
Moved our Initialize Security Context return attribute definitions to the SSPI module, as a) these can be used by other SSPI based providers and b) the ISC required attributes are defined there.