Age | Commit message (Collapse) | Author |
|
Closes #3823
Closes #3776
|
|
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
|
|
Closes #3808
|
|
Without this, detecting and avoid reusing a closed TLS connection
(without a previous GOAWAY) when doing HTTP/2 is tricky.
Reported-by: Tom van der Woerdt
Fixes #3750
Closes #3763
|
|
- remove unused variables
- declare conditionally used variables conditionally
- suppress unused variable warnings in the CMake tests
- remove dead variable stores
- consistently use WIN32 macro to detect Windows
Closes https://github.com/curl/curl/pull/3739
|
|
Make functions no-ops if neither both USE_THREADS_POSIX and
HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are
defined. Previously, if only one of them was defined, there was either
code compiled that did nothing useful or the wrong header included for
the functions used.
Also, move POLARSSL_MUTEX_T define to implementation file as it's not
used externally.
Closes https://github.com/curl/curl/pull/3739
|
|
Fixes #3692
Closes #3692
|
|
Reported-by: nianxuejie on github
Assisted-by: Nick Zitzmann
Assisted-by: Jay Satiro
Fixes #3689
Closes #3690
|
|
AmiSSL is an Amiga native library which provides a wrapper over OpenSSL.
It also requires all programs using it to use bsdsocket.library
directly, rather than accessing socket functions through clib, which
libcurl was not necessarily doing previously. Configure will now check
for the headers and ensure they are included if found.
Closes #3677
|
|
... in the SSL structure as AmiSSL is using macros for the socket API
functions.
|
|
It has been deprecated by GnuTLS since a year ago and now causes build
warnings.
Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f
Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html
Closes #3636
|
|
Everyone calls it Secure Transport, now we do too.
Reviewed-by: Nick Zitzmann
Closes #3619
|
|
Instead of using a fixed 256 byte buffer in the connectdata struct.
In my build, this reduces the size of the connectdata struct by 11.8%,
from 2160 to 1904 bytes with no functionality or performance loss.
This also fixes a bug in schannel's Curl_verify_certificate where it
called Curl_sspi_strerror when it should have called Curl_strerror for
string from GetLastError. the only effect would have been no text or the
wrong text being shown for the error.
Co-authored-by: Jay Satiro
Closes #3612
|
|
Closes #3591
|
|
Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
algorithm option when selecting ciphers. This became available on the
Win10 SDK.
Closes https://github.com/curl/curl/pull/3608
|
|
since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in
wolfSSL 3.10.2 and later) it sends these curves by default already.
Pointed-out-by: David Garske
Closes #3599
|
|
If mbedtls_ssl_get_session() fails, it may still have allocated
memory that needs to be freed to avoid leaking. Call the library
API function to release session resources on this errorpath as
well as on Curl_ssl_addsessionid() errors.
Closes: #3574
Reported-by: Michał Antoniak <M.Antoniak@posnet.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
debug output in DEBUGF but omitted a few lines.
Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
|
|
Convert numerous infof() calls into debug-build only messages since they
are annoyingly verbose for regular applications. Removed a few.
Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
Reported-by: Volker Schmid
Closes #3552
|
|
Reported-by: MAntoniak on github
Fixes #3553
Closes #3556
|
|
- Fix potential crashes in schannel shutdown.
Ensure any TLS shutdown messages are sent before removing the
association between the connection and the easy handle. Reverts
@bagder's previous partial fix for #3412.
Fixes https://github.com/curl/curl/issues/3412
Fixes https://github.com/curl/curl/issues/3505
Closes https://github.com/curl/curl/pull/3531
|
|
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.
Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
|
|
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.
Closes #3504
|
|
Fixes #3480
Closes #3487
|
|
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.
Fixes #3280
Closes #3321
|
|
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
|
|
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.
Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
|
|
OpenSSL_version() replaces OpenSSL_version_num()
Closes #3462
|
|
When building with Unicode on MSVC, the compiler warns about freeing a
pointer to const in Curl_unicodefree. Fix this by declaring it as
non-const and casting the argument to Curl_convert_UTF8_to_tchar to
non-const too, like we do in all other places.
Closes https://github.com/curl/curl/pull/3435
|
|
Closes #3426
|
|
This adds a cleanup callback for cyassl. Resolves possible memory leak
when using ECC fixed point cache.
Closes #3395
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
|
|
Fix-by: Eric Rosenquist
Fixes #3376
Closes #3390
|
|
Previously, VERIFYPEER would enable/disable all checks.
Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380
|
|
Reported-by: Andrei Neculau
Fixes #3367
Closes #3373
|
|
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html
Closes #3347
|
|
It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #3346
|
|
Moves the file handling BIO calls to the branch of the code where they
are actually used.
Closes #3339
|
|
|
|
Use descriptive text strings rather than decimal numbers.
|
|
NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.
This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.
Fixes #3261
|
|
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.
Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
|
|
Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.
Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.
The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.
A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.
This approach also works for old SSL/TLS versions and old OpenSSL versions.
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Fixes #3202
Closes #3271
|
|
- ENGINE_cleanup() was used without including "openssl/engine.h"
- enable engine support for OpenSSL 0.9.7
Closes #3266
|
|
Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.
This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.
Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
|
|
Closes #3291
|
|
The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:
* TLSv1.3 (IN), TLS app data, [no content] (0):
(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)
Closes https://github.com/curl/curl/pull/3281
|
|
Closes #3262
|
|
Fixes #3261
|
|
|
|
As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.
curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.
Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].
1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86
Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259
|