Age | Commit message (Collapse) | Author |
|
|
|
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.
The callback method had three problems:
1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.
2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.
3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.
Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.
Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
|
|
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
|
|
|
|
|
|
- Fix ALPN reply detection.
- Wrap nghttp2 code in ifdef USE_NGHTTP2.
Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
|
|
The function is only present in wolfssl/cyassl if it was built with
--enable-opensslextra. With these checks added, pinning support is disabled
unless the TLS lib has that function available.
Also fix the mistake in configure that checks for the wrong lib name.
Closes #566
|
|
|
|
|
|
|
|
... and stick to 1.1 for HTTP. This is in line with what browsers do and
should have very little risk.
|
|
Closes #491
|
|
|
|
|
|
|
|
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
Feedback-by: Dan Fandrich
URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
|
|
|
|
Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
|
|
Curl_ossl_init calls OPENSSL_load_builtin_modules() but
Curl_ossl_cleanup doesn't make a call to free these modules.
Bug: https://github.com/bagder/curl/issues/526
|
|
They tend to never get updated anyway so they're frequently inaccurate
and we never go back to revisit them anyway. We document issues to work
on properly in KNOWN_BUGS and TODO instead.
|
|
|
|
Simplify by removing #ifdefs and macros
|
|
|
|
We only support >= 0.9.7
|
|
|
|
BoringSSL implements `BIO_get_mem_data` as a function, instead of a
macro, and expects the output pointer to be a `char **`. We have to add
an explicit cast to grab the pointer as a `const char **`.
Closes #524
|
|
CID 1332129
|
|
CID 1332128
|
|
This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd.
Issue #509 has all the details but it was confirmed that the crash was
not due to this, so the previous commit was wrong.
|
|
After a successful call to SSL_CTX_use_PrivateKey(), we must not call
EVP_PKEY_free() on the key.
Reported-by: nased0
Closes #509
|
|
Global private symbols MUST start with Curl_!
|
|
Closes #505
|
|
Closes #502
|
|
... noticed with mbedTLS.
|
|
closes #496
|
|
sk_X509_pop will decrease the size of the stack which means that the loop would
end after having added only half of the certificates.
Also make sure that the X509 certificate is freed in case
SSL_CTX_add_extra_chain_cert fails.
|
|
- Change algorithm init to happen after OpenSSL config load.
Additional algorithms may be available due to the user's config so we
initialize the algorithms after the user's config is loaded.
Bug: https://github.com/bagder/curl/issues/447
Reported-by: Denis Feklushkin
|
|
If GnuTLS fails to read the certificate then include whatever reason it
provides in the failure message reported to the client.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
|
|
The gnutls vtls back-end was previously ignoring any password set via
CURLOPT_KEYPASSWD. Presumably this was because
gnutls_certificate_set_x509_key_file did not support encrypted keys.
gnutls now has a gnutls_certificate_set_x509_key_file2 function that
does support encrypted keys. Let's determine at compile time whether the
available gnutls supports this new function. If it does then use it to
pass the password. If it does not then emit a helpful diagnostic if a
password is set. This is preferable to the previous behaviour of just
failing to read the certificate without giving a reason in that case.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
|
|
- Change the designator name we use to show the base64 encoded sha256
hash of the server's public key from 'pinnedpubkey' to
'public key hash'.
Though the server's public key hash is only shown when comparing pinned
public key hashes, the server's hash may not match one of the pinned.
|
|
Add a "pinnedpubkey" section to the "Server Certificate" verbose
Bug: https://github.com/bagder/curl/issues/410
Reported-by: W. Mark Kubacki
Closes #430
Closes #410
|
|
|
|
Fixes #427
|
|
Without this workaround, NSS re-uses a session cache entry despite the
server name does not match. This causes SNI host name to differ from
the actual host name. Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.
Bug: https://bugzilla.mozilla.org/1202264
|
|
|
|
... without sha256 support and no define saying so.
Reported-by: Rajkumar Mandal
|
|
It causes dynamic linking issues at run-time after an update of NSS.
Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
|
|
If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
doesn't present a certificate at all.
Closes #392
|
|
schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
|
|
MSVC 12 complains:
lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
variable 'verstr' used It's a false positive, but as it's normally not,
I have enabled warning-as-error for that warning.
|