aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2014-05-21Add support for --cacert in DarwinSSL.Vilmos Nebehaj
Security Framework on OS X makes it possible to supply extra anchor (CA) certificates via the Certificate, Key, and Trust Services API. This commit makes the '--cacert' option work using this API. More information: https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html The HTTPS tests now pass on OS X except 314, which requires the '--crl' option to work.
2014-05-20ALPN: fix typo in http/1.1 identifierFabian Frank
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05 it is "http/1.1" and not "http/1.0".
2014-05-17axtls: Fixed too long source lineDan Fandrich
2014-05-16axtls: Add a TODO to a potential blocking call with no timeoutDan Fandrich
2014-05-15CURLINFO_SSL_VERIFYRESULT: assign at first connect callDaniel Stenberg
The variable wasn't assigned at all until step3 which would lead to a failed connect never assigning the variable and thus returning a bad value. Reported-by: Larry Lin Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
2014-05-15darwinssl: Updated copyright following recent changesSteve Holme
2014-05-14darwinssl: fix potential crash when attempting to copy an identityNick Zitzmann
from a P12 file This could've happened if SecPKCS12Import() returned noErr _and_ no identity.
2014-05-12openssl: unbreak PKCS12 supportDaniel Stenberg
Regression introduced in ce362e8eb9c (7.31.0) Bug: http://curl.haxx.se/bug/view.cgi?id=1371 Reported-by: Dmitry
2014-05-05schannel: don't use the connect-timeout during sendDaniel Stenberg
As there's a default connection timeout and this wrongly used the connection timeout during a transfer after the connection is completed, this function would trigger timeouts during transfers erroneously. Bug: http://curl.haxx.se/bug/view.cgi?id=1352 Figured-out-by: Radu Simionescu
2014-05-04openssl: biomem->data is not zero terminatedDaniel Stenberg
So printf(%s) on it or reading before bounds checking is wrong, fixing it. Could previously lead to reading out of boundary. Reported-by: Török Edwin
2014-04-25nss: propagate blocking direction from NSPR I/OKamil Dudka
... during the non-blocking SSL handshake
2014-04-23cyassl: Use error-ssl.h when availableDan Fandrich
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use whichever one is available.
2014-04-22gtls: fix NULL pointer dereferenceDaniel Stenberg
gnutls_x509_crt_import() must not be called with a NULL certificate Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html Reported-by: Damian Dixon
2014-04-22nss: implement non-blocking SSL handshakeKamil Dudka
2014-04-22nss: split Curl_nss_connect() into 4 functionsKamil Dudka
2014-04-18curl_schannel.c: added explicit cast of structure pointersMarc Hoersken
2014-04-18curl_schannel.c: fix possible dereference of null pointerMarc Hoersken
2014-04-03http2+openssl: fix compiler warnings in ALPN using codeDaniel Stenberg
2014-03-31http2: let openssl mention the exact protocol negotiatedDaniel Stenberg
Remove a superfluous "negotiated http2" info line
2014-03-31http2: remove _DRAFT09 from the NPN_HTTP2 enumDaniel Stenberg
We're progressing throught drafts so there's no point in having a fixed one in a symbol that'll survive.
2014-03-22polarssl: avoid extra newlines in debug messagesGisle Vanem
The debug messages printed inside PolarSSL always seems to end with a newline. So 'infof()' should not add one. Besides the trace 'line' should be 'const'.
2014-03-18polarssl: break compatibility with version older than 1.3.Gaël PORTAY
Remove all #ifdef/else/endif macros that ensure compatibility with polarssl version previous than 1.3.
2014-03-18polarssl: drop use of 1.2 compatibility header.Gaël PORTAY
API has changed since version 1.3. A compatibility header has been created to ensure forward compatibility for code using old API: * x509 certificate structure has been renamed to from x509_cert to x509_crt * new dedicated setter for RSA certificates ssl_set_own_cert_rsa, ssl_set_own_cert is for generic keys * ssl_default_ciphersuites has been replaced by function ssl_list_ciphersuites() This patch drops the use of the compatibly header.
2014-03-18polarssl: added missing end-of-comment from previous commitDaniel Stenberg
2014-03-17polarssl: now require 1.3.0+Daniel Stenberg
Also fixed a function name change in the version requirement bump
2014-03-17polarssl: fix compilationhasufell
Rename x509_cert to x509_crt and add "compat-1.2.h" include. This would still need some more thorough conversion in order to drop "compat-1.2.h" include.
2014-03-15nss: allow to enable/disable new AES GCM cipher-suitesKamil Dudka
... if built against a new enough version of NSS
2014-03-15nss: allow to enable/disable new HMAC-SHA256 cipher-suitesKamil Dudka
... if built against a new enough version of NSS
2014-03-15nss: do not enable AES cipher-suites by defaultKamil Dudka
... but allow them to be enabled/disabled explicitly. The default policy should be maintained at the NSS level.
2014-03-10openssl: info massage with SSL version usedDaniel Stenberg
Patch-by: byte_bucket
2014-03-03NSS: avoid compiler warnings when built without http2 supportDaniel Stenberg
2014-02-25Merge pull request #93 from d235j/darwinssl_ip_address_fixnickzman
darwinssl: don't omit CN verification when an IP address is used
2014-02-24curl_schannel.c: Updated copyright yearsMarc Hoersken
2014-02-24winssl: Enable hostname verification of IP address using SAN or CNDavid Ryskalczyk
Original commit message was: Don't omit CN verification in SChannel when an IP address is used. Side-effect of this change: SChannel and CryptoAPI do not support the iPAddress subjectAltName according to RFC 2818. If present, SChannel will first compare the IP address to the dNSName subjectAltNames and then fallback to the most specific Common Name in the Subject field of the certificate. This means that after this change curl will not connect to SSL/TLS hosts as long as the IP address is not specified in the SAN or CN of the server certificate or the verifyhost option is disabled.
2014-02-23Don't omit CN verification in DarwinSSL when an IP address is used.David Ryskalczyk
2014-02-18axtls: comment the call ssl_read repeatedly loopDan Fandrich
2014-02-16axtls: bump copyright yearDaniel Stenberg
2014-02-16axtls: call ssl_read repeatedlyFabian Frank
Perform more work in between sleeps. This is work around the fact that axtls does not expose any knowledge about when work needs to be performed. Depending on connection and how often perform is being called this can save ~25% of time on SSL handshakes (measured on 20ms latency connection calling perform roughly every 10ms).
2014-02-11openssl: honor --[no-]alpn|npn command line switchFabian Frank
Disable ALPN or NPN if requested by the user.
2014-02-11gtls: honor --[no-]alpn command line switchFabian Frank
Disable ALPN if requested by the user.
2014-02-10NPN/ALPN: allow disabling via command lineFabian Frank
when using --http2 one can now selectively disable NPN or ALPN with --no-alpn and --no-npn. for now honored with NSS only. TODO: honor this option with GnuTLS and OpenSSL
2014-02-10nss: use correct preprocessor macroFabian Frank
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection, but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a preprocessor macro.
2014-02-07nss: support pre-ALPN versionsDaniel Stenberg
2014-02-07nss: ALPN and NPN supportFabian Frank
Add ALPN and NPN support for NSS. This allows cURL to negotiate HTTP/2.0 connections when built with NSS.
2014-02-06nss: Updated copyright year for recent editsSteve Holme
2014-02-06nss: prefer highest available TLS versionFabian Frank
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3 if --tlsv1[.N] was not specified on the command line.
2014-02-04gtls: add ALPN supportFabian Frank
Add ALPN support when using GnuTLS >= 3.2.0. This allows libcurl to negotiate HTTP/2.0 for https connections when built with GnuTLS. See: http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029 http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-03openssl: add ALPN supportFabian Frank
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the server, who can respond with either one or none of the two. OpenSSL >= 1.0.2 is required, which means as of today obtaining a snapshot from ftp://ftp.openssl.org/snapshot/. See: http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04 https://github.com/openssl/openssl/blob/ba168244a14bbd056e502d7daa04cae4aabe9d0d/ssl/ssl_lib.c#L1787
2014-01-31winssl: improved default SSL/TLS protocol selectionMarc Hoersken
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2 if it is not explicitly enabled within grbitEnabledProtocols. More information can be found on MSDN: http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
2014-01-30http2-openssl: verify that NPN functionality is presentDaniel Stenberg