Age | Commit message (Collapse) | Author |
|
lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
by intermediate certs, this was fixed in LibreSSL in
https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
|
|
cyassl/ssl.h needs the macros from cyassl/options.h, so define them
before including cyassl/ssl.h the first time, which happens in
urldata.h.
This broke the build on Ubuntu Xenial, which comes with WolfSSL 3.4.8
and therefore redefines the symbols from cyassl/options.h instead of
including the header.
Closes https://github.com/curl/curl/pull/1536
|
|
mbedtls_x509_crt_profile_fr is only used locally.
This fixes a missing-variable-declarations warning with clang.
|
|
vtls/mbedtls.c:804:69: warning: declaration of 'entropy' shadows a global declaration [-Wshadow]
CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy,
^~~~~~~
|
|
if no error was raised by the API but the SecIdentityRef was null
Fixes #1450
|
|
Closes #1400
|
|
Tested with servers: IIS 7.5; OpenSSL 1.0.2.
Closes https://github.com/curl/curl/pull/1475
|
|
|
|
|
|
|
|
The module contains a more comprehensive set of trust information than
supported by nss-pem, because libnssckbi.so also includes information
about distrusted certificates.
Reviewed-by: Kai Engert
Closes #1414
|
|
No change of behavior is intended by this commit.
|
|
It could prevent nss-pem from being unloaded later on.
Bug: https://bugzilla.redhat.com/1444860
|
|
This commit fixes compilation failure caused by
cbae73e1dd95946597ea74ccb580c30f78e3fa73.
|
|
- Track when the cached encrypted data contains only a partial record
that can't be decrypted without more data (SEC_E_INCOMPLETE_MESSAGE).
- Change Curl_schannel_data_pending to return false in such a case.
Other SSL libraries have pending data functions that behave similarly.
Ref: https://github.com/curl/curl/pull/1387
Closes https://github.com/curl/curl/pull/1392
|
|
This reduces the binary size and fixes a compile warning.
|
|
... when failing to get the server certificate.
|
|
This fixes 3 warnings issued by MinGW:
1. PR_ImportTCPSocket actually has a paramter of type PROsfd instead of
PRInt32, which is 64 bits on Windows. Fixed this by including the
corresponding header file instead of redeclaring the function, which is
supported even though it is in the private include folder. [1]
2. In 64-bit mode, size_t is 64 bits while CK_ULONG is 32 bits, so an explicit
narrowing cast is needed.
3. Curl_timeleft returns time_t instead of long since commit
21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket
Closes https://github.com/curl/curl/pull/1393
|
|
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.
Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.
Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com
The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
|
|
X.509 certificates carry public keys, not private keys. Fields
corresponding to the private half of the key will always be NULL.
Closes #1425
|
|
ERR_error_string with NULL parameter is not thread-safe. The library
writes the string into some static buffer. Two threads doing this at
once may clobber each other and run into problems. Switch to
ERR_error_string_n which avoids this problem and is explicitly
bounds-checked.
Also clean up some remnants of OpenSSL 0.9.5 around here. A number of
comments (fixed buffer size, explaining that ERR_error_string_n was
added in a particular version) date to when ossl_strerror tried to
support pre-ERR_error_string_n OpenSSLs.
Closes #1424
|
|
Rather than making assumptions about the values, use a switch-case.
Closes #1424
|
|
Add missing our_ssl_sessionid free call in mbed_connect_step3().
Closes #1417
|
|
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.
Suggested-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1401
|
|
Closes #1402
|
|
... because they may include an intermediate certificate for a client
certificate and the intermediate certificate needs to be presented to
the server, no matter if we verify the peer or not.
Reported-by: thraidh
Closes #851
|
|
... by moving the variables into the correct #ifdef block.
|
|
When UNICODE is not defined, the Curl_convert_UTF8_to_tchar macro maps
directly to its argument. As it is declared as a pointer to const and
InitializeSecurityContext expects a pointer to non-const, both MSVC and MinGW
issue a warning about implicitly casting away the const. Fix this by declaring
the variables as pointers to non-const.
Closes https://github.com/curl/curl/pull/1394
|
|
Curl_timeleft returns time_t instead of long since commit
21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
|
|
Curl_llist_alloc is now Curl_llist_init.
Closes https://github.com/curl/curl/pull/1391
|
|
If CURL_DISABLE_VERBOSE_STRINGS is defined, hostname is not used in
schannel_connect_step3.
|
|
- Fix compile errors that occur in openssl.c when OpenSSL lib was
built without DSA support.
Bug: https://github.com/curl/curl/issues/1361
Reported-by: neheb@users.noreply.github.com
|
|
No need to redeclare the variable.
|
|
Closes #1356
|
|
|
|
|
|
- If SSL_get_error is called but no extended error detail is available
then show that SSL_ERROR_* as a string.
Prior to this change there was some inconsistency in that case: the
SSL_ERROR_* code may or may not have been shown, or may have been shown
as unknown even if it was known.
Ref: https://github.com/curl/curl/issues/1300
Closes https://github.com/curl/curl/pull/1348
|
|
Ref: https://curl.haxx.se/mail/lib-2017-02/0097.html
Closes https://github.com/curl/curl/pull/1272
|
|
Broken a week ago in 6448f98.
Closes https://github.com/curl/curl/pull/1337
|
|
... by removing the else branch after a return, break or continue.
Closes #1310
|
|
Broken a few days ago in 6448f98.
Bug: https://curl.haxx.se/mail/lib-2017-03/0015.html
|
|
CID 1402159 and 1402158
|
|
|
|
Verified with OpenSSL 1.1.0e and OpenSSL master (1.1.1)
|
|
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.
Closes https://github.com/curl/curl/pull/1166
|
|
Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know
it's expected and won't warn on [-Wimplicit-fallthrough=].
Closes https://github.com/curl/curl/pull/1297
|
|
In DarwinSSL the SSLSetPeerDomainName function is used to enable both
sending SNI and verifying the host. When host verification is disabled
the function cannot be called, therefore SNI is disabled as well.
Closes https://github.com/curl/curl/pull/1240
|
|
wolfSSL >= 3.6.0 supports getting its library version string at runtime.
|
|
|
|
Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
< 2.1.0 (the older API)
... and fix the session_id mixup brought in 04b4ee549
Fixes #1220
|