aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2014-02-25Merge pull request #93 from d235j/darwinssl_ip_address_fixnickzman
darwinssl: don't omit CN verification when an IP address is used
2014-02-24curl_schannel.c: Updated copyright yearsMarc Hoersken
2014-02-24winssl: Enable hostname verification of IP address using SAN or CNDavid Ryskalczyk
Original commit message was: Don't omit CN verification in SChannel when an IP address is used. Side-effect of this change: SChannel and CryptoAPI do not support the iPAddress subjectAltName according to RFC 2818. If present, SChannel will first compare the IP address to the dNSName subjectAltNames and then fallback to the most specific Common Name in the Subject field of the certificate. This means that after this change curl will not connect to SSL/TLS hosts as long as the IP address is not specified in the SAN or CN of the server certificate or the verifyhost option is disabled.
2014-02-23Don't omit CN verification in DarwinSSL when an IP address is used.David Ryskalczyk
2014-02-18axtls: comment the call ssl_read repeatedly loopDan Fandrich
2014-02-16axtls: bump copyright yearDaniel Stenberg
2014-02-16axtls: call ssl_read repeatedlyFabian Frank
Perform more work in between sleeps. This is work around the fact that axtls does not expose any knowledge about when work needs to be performed. Depending on connection and how often perform is being called this can save ~25% of time on SSL handshakes (measured on 20ms latency connection calling perform roughly every 10ms).
2014-02-11openssl: honor --[no-]alpn|npn command line switchFabian Frank
Disable ALPN or NPN if requested by the user.
2014-02-11gtls: honor --[no-]alpn command line switchFabian Frank
Disable ALPN if requested by the user.
2014-02-10NPN/ALPN: allow disabling via command lineFabian Frank
when using --http2 one can now selectively disable NPN or ALPN with --no-alpn and --no-npn. for now honored with NSS only. TODO: honor this option with GnuTLS and OpenSSL
2014-02-10nss: use correct preprocessor macroFabian Frank
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection, but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a preprocessor macro.
2014-02-07nss: support pre-ALPN versionsDaniel Stenberg
2014-02-07nss: ALPN and NPN supportFabian Frank
Add ALPN and NPN support for NSS. This allows cURL to negotiate HTTP/2.0 connections when built with NSS.
2014-02-06nss: Updated copyright year for recent editsSteve Holme
2014-02-06nss: prefer highest available TLS versionFabian Frank
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3 if --tlsv1[.N] was not specified on the command line.
2014-02-04gtls: add ALPN supportFabian Frank
Add ALPN support when using GnuTLS >= 3.2.0. This allows libcurl to negotiate HTTP/2.0 for https connections when built with GnuTLS. See: http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029 http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-03openssl: add ALPN supportFabian Frank
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the server, who can respond with either one or none of the two. OpenSSL >= 1.0.2 is required, which means as of today obtaining a snapshot from ftp://ftp.openssl.org/snapshot/. See: http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04 https://github.com/openssl/openssl/blob/ba168244a14bbd056e502d7daa04cae4aabe9d0d/ssl/ssl_lib.c#L1787
2014-01-31winssl: improved default SSL/TLS protocol selectionMarc Hoersken
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2 if it is not explicitly enabled within grbitEnabledProtocols. More information can be found on MSDN: http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
2014-01-30http2-openssl: verify that NPN functionality is presentDaniel Stenberg
2014-01-30openssl: set up hooks with to perform NPNFabian Frank
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0 connections. It is expected to be replaced by ALPN in the future. If HTTP/2.0 is negotiated, this is indicated for the entire connection and http.c is expected to initialize itself for HTTP/2.0 instead of HTTP/1.1. see: http://technotes.googlecode.com/git/nextprotoneg.html http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-01-29nss: do not use the NSS_ENABLE_ECC defineKamil Dudka
It is not provided by NSS public headers. Bug: https://bugzilla.redhat.com/1058776
2014-01-29nss: do not fail if NSS does not implement a cipherKamil Dudka
... that the user does not ask for
2014-01-21axtls: fix compiler warning on conversion ssize_t => intFabian Frank
2014-01-20disable GnuTLS insecure ciphersFabian Frank
Make GnuTLS old and new consistent, specify the desired protocol, cipher and certificate type in always in both modes. Disable insecure ciphers as reported by howsmyssl.com. Honor not only --sslv3, but also the --tlsv1[.N] switches. Related Bug: http://curl.haxx.se/bug/view.cgi?id=1323
2014-01-19gtls: fix compiler warnings on conversions size_t => unsigned intDaniel Stenberg
2014-01-12OpenSSL: deselect weak ciphers by defaultDaniel Stenberg
By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges
2014-01-09darwinssl: un-break Leopard build after PKCS#12 changeNick Zitzmann
It turns out errSecDecode wasn't defined in Leopard's headers. So we use the enum's value instead. Bug: http://curl.haxx.se/mail/lib-2013-12/0150.html Reported by: Abram Pousada
2014-01-03openssl: allow explicit sslv2 selectionDaniel Stenberg
If OpenSSL is built to support SSLv2 this brings back the ability to explicitly select that as a protocol level. Reported-by: Steve Holme Bug: http://curl.haxx.se/mail/lib-2014-01/0013.html
2014-01-02Updated copyright year for recent changesSteve Holme
2014-01-02OpenSSL: Fix forcing SSLv3 connectionsBarry Abrahamson
Some feedback provided by byte_bucket on IRC pointed out that commit db11750cfa5b1 wasn’t really correct because it allows for “upgrading” to a newer protocol when it should be only allowing for SSLv3. This change fixes that. When SSLv3 connection is forced, don't allow SSL negotiations for newer versions. Feedback provided by byte_bucket in #curl. This behavior is also consistent with the other force flags like --tlsv1.1 which doesn't allow for TLSv1.2 negotiation, etc Feedback-by: byte_bucket Bug: http://curl.haxx.se/bug/view.cgi?id=1319
2014-01-01OpenSSL: Fix forcing SSLv3 connectionsBarry Abrahamson
Since ad34a2d5c87c7f4b14e8dded3 (present in 7.34.0 release) forcing SSLv3 will always return the error "curl: (35) Unsupported SSL protocol version" Can be replicated with `curl -I -3 https://www.google.com/`. This fix simply allows for v3 to be forced.
2013-12-26vtls: Updated comments referencing sslgen.c and ssluse.cSteve Holme
2013-12-26vtls: Fixed up include of vtls.hSteve Holme
2013-12-20vtls: renamed sslgen.[ch] to vtls.[ch]Daniel Stenberg
2013-12-20openssl: renamed backend files to openssl.[ch]Daniel Stenberg
2013-12-20vtls: moved all TLS/SSL source and header files into subdirDaniel Stenberg
2013-12-20vtls: created subdir, moved sslgen.[ch] there, updated all include linesDaniel Stenberg