aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2016-03-26schannel: Fixed compilation warning from commit f8d88a4913Steve Holme
warning C4244: '=': conversion from 'int' to 'unsigned short', possible loss of data
2016-03-24schannel: Add ALPN supportJDepooter
Add ALPN support for schannel. This allows cURL to negotiate HTTP/2.0 connections when built with schannel. Closes #724
2016-03-23openssl: boringssl provides the same numbering as opensslDaniel Stenberg
... so we don't need extra boringssl precautions for for HAVE_ERR_REMOVE_THREAD_STATE_NOARG. Pointed-out-by: David Benjamin
2016-03-23openssl: fix ERR_remove_thread_state() for boringssl/libresslDaniel Stenberg
The removed arg is only done in OpenSSL Bug: https://twitter.com/xtraemeat/status/712564874098917376
2016-03-20openssl: Fixed compilation warning when /Wall enabledSteve Holme
warning C4706: assignment within conditional expression
2016-03-19mbedtls: fix compiler warningDaniel Stenberg
vtls/mbedtls.h:67:36: warning: implicit declaration of function ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
2016-03-17openssl: adapt to API breakage in ERR_remove_thread_state()Gisle Vanem
The OpenSSL API change that broke this is "Convert ERR_STATE to new multi-threading API": openssl commit 8509dcc. Closes #713
2016-03-17openssl: verbose: show matching SAN patternDaniel Stenberg
... to allow users to see which specfic wildcard that matched when such is used. Also minor logic cleanup to simplify the code, and I removed all tabs from verbose strings.
2016-03-08openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messagesGisle Vanem
2016-03-05mbedtls: fix user-specified SSL protocol versionJay Satiro
Prior to this change when a single protocol CURL_SSLVERSION_ was specified by the user that version was set only as the minimum version but not as the maximum version as well.
2016-02-16openssl: use macro to guard the opaque EVP_PKEY branchViktor Szakats
2016-02-16openssl: avoid direct PKEY access with OpenSSL 1.1.0Viktor Szakats
by using API instead of accessing an internal structure. This is required starting OpenSSL 1.1.0-pre3. Closes #650
2016-02-13gtls: fix for builds lacking encrypted key file supportShine Fan
Bug: https://github.com/curl/curl/pull/651
2016-02-10nss: search slash in forward direction in dup_nickname()Kamil Dudka
It is wasteful to search it backwards if we look for _any_ slash.
2016-02-10nss: do not count enabled cipher-suitesKamil Dudka
We only care if at least one cipher-suite is enabled, so it does not make any sense to iterate till the end and count all enabled cipher-suites.
2016-02-10mbedtls.c: re-indent to better match curl standardsDaniel Stenberg
2016-02-09mbedtls: fix memory leak when destroying SSL connection dataRafael Antonio
Closes #626
2016-02-09mbedtls: fix ALPN usage segfaultDaniel Stenberg
Since we didn't keep the input argument around after having called mbedtls, it could end up accessing the wrong memory when figuring out the ALPN protocols. Closes #642
2016-02-09openssl: remove most BoringSSL #ifdefs.David Benjamin
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of BoringSSL #ifdefs in cURL should be unnecessary: - BoringSSL provides no-op stubs for compatibility which replaces most #ifdefs. - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove the compatibility codepath. - With a small tweak to an extend_key_56_to_64 call, the NTLM code builds fine. - Switch OCSP-related #ifdefs to the more generally useful OPENSSL_NO_OCSP. The only #ifdefs which remain are Curl_ossl_version and the #undefs to work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves that to the consumer. The in-header workaround makes things sensitive to include order.) This change errs on the side of removing conditionals despite many of the restored codepaths being no-ops. (BoringSSL generally adds no-op compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are bad enough!) Closes #640
2016-02-08configure: --with-ca-fallback: use built-in TLS CA fallbackLudwig Nussel
When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
2016-02-06openssl: Fix signed/unsigned mismatch warning in X509V3_extJay Satiro
sk_X509_EXTENSION_num may return an unsigned integer, however the value will fit in an int. Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896 Reported-by: Gisle Vanem
2016-02-04URLs: change more http to httpsViktor Szakats
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2016-01-10mbedtls: implement CURLOPT_PINNEDPUBLICKEYThomas Glanzmann
2016-01-07mbedtls: Fix ALPN supportJay Satiro
- Fix ALPN reply detection. - Wrap nghttp2 code in ifdef USE_NGHTTP2. Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2015-12-16cyassl: deal with lack of *get_peer_certificateDaniel Stenberg
The function is only present in wolfssl/cyassl if it was built with --enable-opensslextra. With these checks added, pinning support is disabled unless the TLS lib has that function available. Also fix the mistake in configure that checks for the wrong lib name. Closes #566
2015-12-16wolfssl: handle builds without SSLv3 supportDaniel Stenberg
2015-12-15cyassl: fix compiler warning on type conversionDaniel Stenberg
2015-12-14libressl: the latest openssl x509 funcs are not in libresslDaniel Stenberg
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-12-10openssl: adapt to openssl >= 1.1.0 X509 opaque structsDaniel Stenberg
Closes #491
2015-12-10openssl: avoid BIO_reset() warnings since it returns a valueDaniel Stenberg
2015-12-10openssl: adapt to 1.1.0+ name changesDaniel Stenberg
2015-12-07openssl: BoringSSL doesn't have CONF_modules_freeGisle Vanem
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-21schannel: Corrected copy/paste error in commit 8d17117683Steve Holme
2015-11-21schannel: Use GetVersionEx() when VerifyVersionInfo() isn't availableSteve Holme
Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
2015-11-13openssl: Free modules on cleanupSebastian Pohlschmidt
Curl_ossl_init calls OPENSSL_load_builtin_modules() but Curl_ossl_cleanup doesn't make a call to free these modules. Bug: https://github.com/bagder/curl/issues/526
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-11-13openssl: remove #if check for 0.9.7 for ENGINE_load_private_keyDaniel Stenberg
2015-11-13openssl: all supported versions have X509_STORE_set_flagsDaniel Stenberg
Simplify by removing #ifdefs and macros
2015-11-13openssl: remove 0.9.3 checkDaniel Stenberg
2015-11-13openssl: remove #ifdefs for < 0.9.5 supportDaniel Stenberg
We only support >= 0.9.7
2015-11-13lib/vtls/openssl: remove unused traces of yassl ifdefsDaniel Stenberg
2015-11-10BoringSSL: Work with stricter BIO_get_mem_data()Douglas Creager
BoringSSL implements `BIO_get_mem_data` as a function, instead of a macro, and expects the output pointer to be a `char **`. We have to add an explicit cast to grab the pointer as a `const char **`. Closes #524
2015-10-29mbedtls: fix "Structurally dead code"Daniel Stenberg
CID 1332129
2015-10-29mbedtls: fix "Logically dead code"Daniel Stenberg
CID 1332128