| Age | Commit message (Collapse) | Author |
|---|
|
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
TLS_client_method LibreSSL and BoringSSL didn't and still use
SSLv23_client_method.
Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
Reported-by: asavah@users.noreply.github.com
|
|
- Try building a chain using issuers in the trusted store first to avoid
problems with server-sent legacy intermediates.
Prior to this change server-sent legacy intermediates with missing
legacy issuers would cause verification to fail even if the client's CA
bundle contained a valid replacement for the intermediate and an
alternate chain could be constructed that would verify successfully.
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
|
ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
|
|
Code for OpenSSL 0.9.4 serves no purpose anymore!
|
|
It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
later.
|
|
The existing callback served no purpose.
|
|
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
This change is to explicitly specify when we need to read/write text.
Unfortunately 't' is not part of POSIX fopen so we can't specify it
directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
Prior to this change we had an issue on Windows if an application that
uses libcurl overrides the default file mode to binary. The default file
mode in Windows is normally text mode (translation mode) and that's what
libcurl expects.
Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
Reported-by: Orgad Shaneh
|
|
|
|
SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
equivalent is TLS_client_method.
https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
|
|
Stop curl from failing when non-fatal alert is received during
handshake. This e.g. fixes lots of problems when working with https
sites through proxies.
|
|
BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
OpenSSL.
re #275
|
|
Also print the revocation reason if appropriate.
|
|
The symbol is fairly new.
Reported-by: Kamil Dudka
|
|
The OpenSSL trace callback is wonderfully undocumented but given a
journey in the source code, it seems the cases were ssl_ver is zero
doesn't follow the same pattern and thus turned out confusing and
misleading. For now, we skip doing any CURLINFO_TEXT logging on those
but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
Also, I added direction to the text info and I edited some functions
slightly.
Bug: https://github.com/bagder/curl/issues/219
Reported-by: Jay Satiro, Ashish Shukla
|
|
|
|
|
|
|
|
https://github.com/bagder/curl/issues/244
Commit 145c263 changed the behavior when Curl_read_plain returns
CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
correctly.
|
|
Commit: https://github.com/bagder/curl/commit/926cb9f
Reported-by: Ray Satiro
|
|
Bug born in changes made several days ago 9a91e80.
Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
Reported-by: Brian Chrisman
|
|
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
|
|
|
|
Reported-by: Brian Chrisman
|
|
white space changes only
|
|
To have engine modules work, we must tell openssl to load builtin
modules first.
Bug: https://github.com/bagder/curl/pull/206
|
|
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
|
|
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
|
|
Bug: https://bugzilla.redhat.com/1195771
|
|
|
|
|
|
Prior to this change CyaSSL's build options could redefine some generic
build symbols.
http://curl.haxx.se/mail/lib-2015-04/0069.html
|
|
|
|
|
|
|
|
|
|
|
|
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
|
|
Also fix it so that all ERR_error_string calls use an error buffer.
CyaSSL's implementation of ERR_error_string only writes the error when
an error buffer is passed.
http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
|
|
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
messages since cyassl_connect_step2 is called multiple times, typically.
The message is superfluous even once since libcurl already informs the
user elsewhere in code that it is connecting.
|
|
This change is to allow the user's CTX callback to change the minimum
protocol version in the CTX without us later overriding it, as we did
prior to this change.
|
|
SSL_CTX_load_verify_locations can return negative values on fail,
therefore to check for failure we check if load is != 1 (success)
instead of if load is == 0 (failure), the latter being incorrect given
that behavior.
|
|
(Curl_cyassl_init)
- Return 1 on success, 0 in failure.
Prior to this change the fail path returned an incorrect value and the
evaluation to determine whether CyaSSL_Init had succeeded was incorrect.
Ironically that combined with the way curl_global_init tests SSL library
initialization (!Curl_ssl_init()) meant that CyaSSL having been
successfully initialized would be seen as that even though the code path
and return value in Curl_cyassl_init were wrong.
|
|
This allows test 405 to pass on axTLS.
|
|
- More descriptive fail message for NO_FILESYSTEM builds.
- Cosmetic changes.
- Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.
|
|
Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better
handles CyaSSL instances using NO_FILESYSTEM.
|
|
CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or
CyaSSL. This reference causes build errors when compiling with
NO_FILESYSTEM.
|
|
|
|
|
|
and simplify code by changing if-elses to a switch()
CID 1291706: Logically dead code. Execution cannot reach this statement
|
|
"unreachable: Since the loop increment is unreachable, the loop body
will never execute more than once."
Coverity CID 1291707
|
