aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2016-01-10mbedtls: implement CURLOPT_PINNEDPUBLICKEYThomas Glanzmann
2016-01-07mbedtls: Fix ALPN supportJay Satiro
- Fix ALPN reply detection. - Wrap nghttp2 code in ifdef USE_NGHTTP2. Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2015-12-16cyassl: deal with lack of *get_peer_certificateDaniel Stenberg
The function is only present in wolfssl/cyassl if it was built with --enable-opensslextra. With these checks added, pinning support is disabled unless the TLS lib has that function available. Also fix the mistake in configure that checks for the wrong lib name. Closes #566
2015-12-16wolfssl: handle builds without SSLv3 supportDaniel Stenberg
2015-12-15cyassl: fix compiler warning on type conversionDaniel Stenberg
2015-12-14libressl: the latest openssl x509 funcs are not in libresslDaniel Stenberg
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-12-10openssl: adapt to openssl >= 1.1.0 X509 opaque structsDaniel Stenberg
Closes #491
2015-12-10openssl: avoid BIO_reset() warnings since it returns a valueDaniel Stenberg
2015-12-10openssl: adapt to 1.1.0+ name changesDaniel Stenberg
2015-12-07openssl: BoringSSL doesn't have CONF_modules_freeGisle Vanem
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-21schannel: Corrected copy/paste error in commit 8d17117683Steve Holme
2015-11-21schannel: Use GetVersionEx() when VerifyVersionInfo() isn't availableSteve Holme
Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
2015-11-13openssl: Free modules on cleanupSebastian Pohlschmidt
Curl_ossl_init calls OPENSSL_load_builtin_modules() but Curl_ossl_cleanup doesn't make a call to free these modules. Bug: https://github.com/bagder/curl/issues/526
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-11-13openssl: remove #if check for 0.9.7 for ENGINE_load_private_keyDaniel Stenberg
2015-11-13openssl: all supported versions have X509_STORE_set_flagsDaniel Stenberg
Simplify by removing #ifdefs and macros
2015-11-13openssl: remove 0.9.3 checkDaniel Stenberg
2015-11-13openssl: remove #ifdefs for < 0.9.5 supportDaniel Stenberg
We only support >= 0.9.7
2015-11-13lib/vtls/openssl: remove unused traces of yassl ifdefsDaniel Stenberg
2015-11-10BoringSSL: Work with stricter BIO_get_mem_data()Douglas Creager
BoringSSL implements `BIO_get_mem_data` as a function, instead of a macro, and expects the output pointer to be a `char **`. We have to add an explicit cast to grab the pointer as a `const char **`. Closes #524
2015-10-29mbedtls: fix "Structurally dead code"Daniel Stenberg
CID 1332129
2015-10-29mbedtls: fix "Logically dead code"Daniel Stenberg
CID 1332128
2015-10-29Revert "openssl: engine: remove double-free"Daniel Stenberg
This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd. Issue #509 has all the details but it was confirmed that the crash was not due to this, so the previous commit was wrong.
2015-10-27openssl: engine: remove double-freeDaniel Stenberg
After a successful call to SSL_CTX_use_PrivateKey(), we must not call EVP_PKEY_free() on the key. Reported-by: nased0 Closes #509
2015-10-23polarssl/mbedtls: fix name space pollutionDaniel Stenberg
Global private symbols MUST start with Curl_!
2015-10-23mbedTLS: THREADING_SUPPORT compilation fixDmitry S. Baikov
Closes #505
2015-10-22mbedtls:new profile with RSA min key len = 1024.m-gardet
Closes #502
2015-10-20vtls: fix compiler warning for TLS backends without sha256Daniel Stenberg
... noticed with mbedTLS.
2015-10-20vtls: added support for mbedTLSJonas Minnberg
closes #496
2015-10-11openssl: Fix set up of pkcs12 certificate verification chainErik Johansson
sk_X509_pop will decrease the size of the stack which means that the loop would end after having added only half of the certificates. Also make sure that the X509 certificate is freed in case SSL_CTX_add_extra_chain_cert fails.
2015-09-28openssl: Fix algorithm initMichael Kalinin
- Change algorithm init to happen after OpenSSL config load. Additional algorithms may be available due to the user's config so we initialize the algorithms after the user's config is loaded. Bug: https://github.com/bagder/curl/issues/447 Reported-by: Denis Feklushkin
2015-09-23gnutls: Report actual GnuTLS error message for certificate errorsMike Crowe
If GnuTLS fails to read the certificate then include whatever reason it provides in the failure message reported to the client. Signed-off-by: Mike Crowe <mac@mcrowe.com>
2015-09-22gnutls: Support CURLOPT_KEYPASSWDMike Crowe
The gnutls vtls back-end was previously ignoring any password set via CURLOPT_KEYPASSWD. Presumably this was because gnutls_certificate_set_x509_key_file did not support encrypted keys. gnutls now has a gnutls_certificate_set_x509_key_file2 function that does support encrypted keys. Let's determine at compile time whether the available gnutls supports this new function. If it does then use it to pass the password. If it does not then emit a helpful diagnostic if a password is set. This is preferable to the previous behaviour of just failing to read the certificate without giving a reason in that case. Signed-off-by: Mike Crowe <mac@mcrowe.com>
2015-09-19vtls: Change designator name for server's pubkey hashJay Satiro
- Change the designator name we use to show the base64 encoded sha256 hash of the server's public key from 'pinnedpubkey' to 'public key hash'. Though the server's public key hash is only shown when comparing pinned public key hashes, the server's hash may not match one of the pinned.
2015-09-19ssl: add server cert's "sha256//" hash to verboseDaniel Hwang
Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-09-19openssl: don't output certinfo dataAlessandro Ghedini
2015-09-19openssl: refactor certificate parsing to use OpenSSL memory BIOAlessandro Ghedini
Fixes #427
2015-09-18nss: prevent NSS from incorrectly re-using a sessionKamil Dudka
Without this workaround, NSS re-uses a session cache entry despite the server name does not match. This causes SNI host name to differ from the actual host name. Consequently, certain servers (e.g. github.com) respond by 400 to such requests. Bug: https://bugzilla.mozilla.org/1202264
2015-09-18nss: check return values of NSS functionsKamil Dudka
2015-09-17openssl: build with < 0.9.8Daniel Stenberg
... without sha256 support and no define saying so. Reported-by: Rajkumar Mandal
2015-09-04nss: do not directly access SSL_ImplementedCiphers[]Kamil Dudka
It causes dynamic linking issues at run-time after an update of NSS. Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
2015-08-21openssl: handle lack of server cert when strict checking disabledAlessandro Ghedini
If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server doesn't present a certificate at all. Closes #392
2015-08-01schannel: Fix compilation warning from commit 7a8e861a56Steve Holme
schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion' of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
2015-07-24openssl: work around MSVC warningMarcel Raad
MSVC 12 complains: lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local variable 'verstr' used It's a false positive, but as it's normally not, I have enabled warning-as-error for that warning.