aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2015-05-27openssl: Use TLS_client_method for OpenSSL 1.1.0+Jay Satiro
SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The equivalent is TLS_client_method. https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
2015-05-20gtls: don't fail on non-fatal alerts during handshakeDmitry Eremin-Solenikov
Stop curl from failing when non-fatal alert is received during handshake. This e.g. fixes lots of problems when working with https sites through proxies.
2015-05-19openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_argBrian Prodoehl
BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and OpenSSL. re #275
2015-05-04gtls: properly retrieve certificate statusAlessandro Ghedini
Also print the revocation reason if appropriate.
2015-05-04OpenSSL: conditional check for SSL3_RT_HEADERDaniel Stenberg
The symbol is fairly new. Reported-by: Kamil Dudka
2015-05-04openssl: skip trace outputs for ssl_ver == 0Daniel Stenberg
The OpenSSL trace callback is wonderfully undocumented but given a journey in the source code, it seems the cases were ssl_ver is zero doesn't follow the same pattern and thus turned out confusing and misleading. For now, we skip doing any CURLINFO_TEXT logging on those but keep sending them as CURLINFO_SSL_DATA_OUT/IN. Also, I added direction to the text info and I edited some functions slightly. Bug: https://github.com/bagder/curl/issues/219 Reported-by: Jay Satiro, Ashish Shukla
2015-05-02schannel.c: Small changesMarc Hoersken
2015-05-02schannel.c: Improve code path and readabilityMarc Hoersken
2015-05-02schannel.c: Improve error and return code handling upon aa99a63f03Marc Hoersken
2015-05-02schannel: fix regression in schannel_recvChris Araman
https://github.com/bagder/curl/issues/244 Commit 145c263 changed the behavior when Curl_read_plain returns CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED correctly.
2015-05-01Bug born in changes made several days ago 9a91e80.Marc Hoersken
Commit: https://github.com/bagder/curl/commit/926cb9f Reported-by: Ray Satiro
2015-04-30schannel: Fix out of bounds arrayJay Satiro
Bug born in changes made several days ago 9a91e80. Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html Reported-by: Brian Chrisman
2015-04-27nss: fix compilation failure with old versions of NSSPaul Howarth
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
2015-04-26schannel.c: Fix typo introduced with 3447c973d0Marc Hoersken
2015-04-26schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL errorMarc Hoersken
Reported-by: Brian Chrisman
2015-04-26schannel: re-indented file to follow curl style betterDaniel Stenberg
white space changes only
2015-04-26Curl_ossl_init: load builtin modulesDaniel Stenberg
To have engine modules work, we must tell openssl to load builtin modules first. Bug: https://github.com/bagder/curl/pull/206
2015-04-26openssl: fix serial number outputDaniel Stenberg
The code extracting the cert serial number was broken and didn't display it properly. Bug: https://github.com/bagder/curl/issues/235 Reported-by: dkjjr89
2015-04-22cyassl: Implement public key pinningJay Satiro
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-22nss: implement public key pinning for NSS backendKamil Dudka
Bug: https://bugzilla.redhat.com/1195771
2015-04-21openssl: add OPENSSL_NO_SSL3_METHOD checkbyronhe
2015-04-19vtls/openssl: use https in URLs and a comment typo fixedViktor Szakáts
2015-04-17cyassl: Fix include orderJay Satiro
Prior to this change CyaSSL's build options could redefine some generic build symbols. http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-14cyassl: Add support for TLS extension SNIJay Satiro
2015-04-13vtls_openssl: improve PKCS#12 load failure error messageMatthew Hall
2015-04-13vtls_openssl: fix minor typo in PKCS#12 load routineMatthew Hall
2015-04-13vtls_openssl: improve client certificate load failure error messagesMatthew Hall
2015-04-13vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constantMatthew Hall
2015-04-11cyassl: Include the CyaSSL build configJay Satiro
CyaSSL >= 2.6.0 may have an options.h that was generated during its build by configure.
2015-04-06cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer sizeJay Satiro
Also fix it so that all ERR_error_string calls use an error buffer. CyaSSL's implementation of ERR_error_string only writes the error when an error buffer is passed. http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-05cyassl: Remove 'Connecting to' message from cyassl_connect_step2Jay Satiro
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to' messages since cyassl_connect_step2 is called multiple times, typically. The message is superfluous even once since libcurl already informs the user elsewhere in code that it is connecting.
2015-04-03cyassl: Set minimum protocol version before CTX callbackJay Satiro
This change is to allow the user's CTX callback to change the minimum protocol version in the CTX without us later overriding it, as we did prior to this change.
2015-04-02cyassl: Fix certificate load checkJay Satiro
SSL_CTX_load_verify_locations can return negative values on fail, therefore to check for failure we check if load is != 1 (success) instead of if load is == 0 (failure), the latter being incorrect given that behavior.
2015-04-01cyassl: Fix library initialization return valueJay Satiro
(Curl_cyassl_init) - Return 1 on success, 0 in failure. Prior to this change the fail path returned an incorrect value and the evaluation to determine whether CyaSSL_Init had succeeded was incorrect. Ironically that combined with the way curl_global_init tests SSL library initialization (!Curl_ssl_init()) meant that CyaSSL having been successfully initialized would be seen as that even though the code path and return value in Curl_cyassl_init were wrong.
2015-03-31axtls: add timeout within Curl_axtls_connectDan Fandrich
This allows test 405 to pass on axTLS.
2015-03-28cyassl: CTX callback cosmetic changes and doc fixJay Satiro
- More descriptive fail message for NO_FILESYSTEM builds. - Cosmetic changes. - Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.
2015-03-27cyassl: add SSL context callback support for CyaSSLKyle L. Huff
Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better handles CyaSSL instances using NO_FILESYSTEM.
2015-03-27cyassl: remove undefined reference to CyaSSL_no_filesystem_verifyKyle L. Huff
CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or CyaSSL. This reference causes build errors when compiling with NO_FILESYSTEM.
2015-03-27vtls: Don't accept unknown CURLOPT_SSLVERSION valuesJay Satiro
2015-03-25polarssl: called mbedTLS in 1.3.10 and laterDaniel Stenberg
2015-03-25polarssl: remove dead codeDaniel Stenberg
and simplify code by changing if-elses to a switch() CID 1291706: Logically dead code. Execution cannot reach this statement
2015-03-25polarssl: remove superfluous for(;;) loopDaniel Stenberg
"unreachable: Since the loop increment is unreachable, the loop body will never execute more than once." Coverity CID 1291707
2015-03-25Curl_ssl_md5sum: return CURLcodeDaniel Stenberg
... since the funciton can fail on OOM. Check this return code. Coverity CID 1291705.
2015-03-25cyassl: default to highest possible TLS versionJay Satiro
(cyassl_connect_step1) - Use TLS 1.0-1.2 by default when available. CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade version. cyassl/cyassl@322f79f
2015-03-25cyassl: Check for invalid length parameter in Curl_cyassl_randomJay Satiro
2015-03-25cyassl: If wolfSSL then identify as such in version stringJay Satiro
2015-03-24curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich
This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-24openssl: do the OCSP work-around for libressl tooDaniel Stenberg
I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to still require the work-around for stapling to work.
2015-03-24openssl: verifystatus: only use the OCSP work-around <= 1.0.2aDaniel Stenberg
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html Reported-by: Alessandro Ghedini
2015-03-24openssl: adapt to ASN1/X509 things gone opaque in 1.1Daniel Stenberg