aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2017-03-23openssl: fall back on SSL_ERROR_* string when no error detailJay Satiro
- If SSL_get_error is called but no extended error detail is available then show that SSL_ERROR_* as a string. Prior to this change there was some inconsistency in that case: the SSL_ERROR_* code may or may not have been shown, or may have been shown as unknown even if it was known. Ref: https://github.com/curl/curl/issues/1300 Closes https://github.com/curl/curl/pull/1348
2017-03-21mbedtls: add support for CURLOPT_SSL_CTX_FUNCTIONAles Mlakar
Ref: https://curl.haxx.se/mail/lib-2017-02/0097.html Closes https://github.com/curl/curl/pull/1272
2017-03-18darwinssl: fix typo in variable namePalo Markovic
Broken a week ago in 6448f98. Closes https://github.com/curl/curl/pull/1337
2017-03-13Improve code readbilitySylvestre Ledru
... by removing the else branch after a return, break or continue. Closes #1310
2017-03-11mbedtls: fix typo in variable nameThomas Glanzmann
Broken a few days ago in 6448f98. Bug: https://curl.haxx.se/mail/lib-2017-03/0015.html
2017-03-10openssl: add two /* FALLTHROUGH */ to satisfy coverityDaniel Stenberg
CID 1402159 and 1402158
2017-03-09polarssl: fixed compile errors introduced in 6448f98cDan Fandrich
2017-03-08openssl: unbreak the build after 6448f98c1857deDaniel Stenberg
Verified with OpenSSL 1.1.0e and OpenSSL master (1.1.1)
2017-03-08vtls: add options to specify range of enabled TLS versionsJozef Kralik
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166
2017-03-03build: fix gcc7 implicit fallthrough warningsAlexis La Goutte
Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know it's expected and won't warn on [-Wimplicit-fallthrough=]. Closes https://github.com/curl/curl/pull/1297
2017-03-02darwinssl: Warn that disabling host verify also disables SNIJDepooter
In DarwinSSL the SSLSetPeerDomainName function is used to enable both sending SNI and verifying the host. When host verification is disabled the function cannot be called, therefore SNI is disabled as well. Closes https://github.com/curl/curl/pull/1240
2017-02-26cyassl: get library version string at runtimeJay Satiro
wolfSSL >= 3.6.0 supports getting its library version string at runtime.
2017-02-21cyassl: fix typoJay Satiro
2017-02-15axtls: adapt to API changesDaniel Stenberg
Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS < 2.1.0 (the older API) ... and fix the session_id mixup brought in 04b4ee549 Fixes #1220
2017-02-09nss: make FTPS work with --proxytunnelKamil Dudka
If the NSS code was in the middle of a non-blocking handshake and it was asked to finish the handshake in blocking mode, it unexpectedly continued in the non-blocking mode, which caused a FTPS connection over CONNECT to fail with "(81) Socket not ready for send/recv". Bug: https://bugzilla.redhat.com/1420327
2017-02-08polarssl, mbedtls: Fix detection of pending dataMichael Kaufmann
Reported-by: Dan Fandrich Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
2017-02-07darwinssl: Avoid parsing certificates when not in verbose modeDaniel Gustafsson
The information extracted from the server certificates in step 3 is only used when in verbose mode, and there is no error handling or validation performed as that has already been done. Only run the certificate information extraction when in verbose mode and libcurl was built with verbose strings. Closes https://github.com/curl/curl/pull/1246
2017-02-07schannel: Remove incorrect SNI disabled messageJDepooter
- Remove the SNI disabled when host verification disabled message since that is incorrect. - Show a message for legacy versions of Windows <= XP that connections may fail since those versions of WinSSL lack SNI, algorithms, etc. Bug: https://github.com/curl/curl/pull/1240
2017-01-31openssl: Don't use certificate after transferring ownershipAdam Langley
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate while, despite the similar name, SSL_CTX_add_client_CA does not. Thus it's best to call SSL_CTX_add_client_CA before SSL_CTX_add_extra_chain_cert, while the code still has ownership of the argument. Closes https://github.com/curl/curl/pull/1236
2017-01-29mbedtls: implement CTR-DRBG and HAVEGE random generatorsAntoine Aubert
closes #1227
2017-01-28mbedtls: disable TLS session ticketsMichael Kaufmann
SSL session reuse with TLS session tickets is not supported yet. Use SSL session IDs instead. See https://github.com/curl/curl/issues/1109
2017-01-28gnutls: disable TLS session ticketsMichael Kaufmann
SSL session reuse with TLS session tickets is not supported yet. Use SSL session IDs instead. Fixes https://github.com/curl/curl/issues/1109
2017-01-28polarssl: fix hangsMichael Kaufmann
This bugfix is similar to commit c111178bd4.
2017-01-22vtls: source indentation fixDaniel Stenberg
2017-01-20vtls: fix PolarSSL non-blocking handlingDaniel Stenberg
A regression brought in cb4e2be Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
2017-01-20vtls: fix mbedtls multi non blocking handshake.Antoine Aubert
When using multi, mbedtls handshake is in non blocking mode. vtls must set wait for read/write flags for the socket. Closes #1223
2017-01-17openssl: Fix random generationJay Satiro
- Fix logic error in Curl_ossl_random. Broken a few days ago in 807698d.
2017-01-15nss: use the correct lock in nss_find_slot_by_name()Kamil Dudka
2017-01-13gnutls: check for alpn and ocsp in configureMarcus Hoffmann
Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during configure instead of relying on the version number. GnuTLS has options to turn these features off and we ca just work with with such builds like we work with older versions. Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com> Closes #1204
2017-01-12rand: make it work without TLS backingDaniel Stenberg
Regression introduced in commit f682156a4fc6c4 Reported-by: John Kohl Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
2017-01-07wolfssl: display negotiated SSL version and cipherDan Fandrich
2017-01-06wolfssl: support setting cipher listDan Fandrich
2017-01-03darwinssl: --insecure overrides --cacert if both settings are in useNick Zitzmann
Fixes #1184
2016-12-27darwinssl: fix CFArrayRef leakChris Araman
Reviewed-by: Nick Zitzmann Closes #1173
2016-12-27darwinssl: fix iOS buildChris Araman
Reviewed-by: Nick Zitzmann Fixes #1172
2016-12-26vtls: s/SSLEAY/OPENSSLDaniel Stenberg
Fixed an old leftover use of the USE_SSLEAY define which would make a socket get removed from the applications sockets to monitor when the multi_socket API was used, leading to timeouts. Bug: #1174
2016-12-24cyassl: use time_t instead of long for timeoutJay Satiro
2016-12-23openssl-random: check return code when asking for randomDaniel Stenberg
and fail appropriately if it returns error
2016-12-23gnutls-random: check return code for failed randomDaniel Stenberg
2016-12-19schannel: fix wildcard cert name validation on Win CEDan McNulty
Fixes a few issues in manual wildcard cert name validation in schannel support code for Win32 CE: - when comparing the wildcard name to the hostname, the wildcard character was removed from the cert name and the hostname was checked to see if it ended with the modified cert name. This allowed cert names like *.com to match the connection hostname. This violates recommendations from RFC 6125. - when the wildcard name in the certificate is longer than the connection hostname, a buffer overread of the connection hostname buffer would occur during the comparison of the certificate name and the connection hostname.
2016-12-18openssl: simplify expression in Curl_ossl_versionMichael Kaufmann
2016-12-14checksrc: warn for assignments within if() expressionsDaniel Stenberg
... they're already frowned upon in our source code style guide, this now enforces the rule harder.
2016-12-13checksrc: stricter no-space-before-paren enforcementDaniel Stenberg
In order to make the code style more uniform everywhere
2016-12-07openssl: don't use OpenSSL's ERR_PACK.Adam Langley
ERR_PACK is an internal detail of OpenSSL. Also, when using it, a function name must be specified which is overly specific: the test will break whenever OpenSSL internally change things so that a different function creates the error. Closes #1157
2016-11-30cyassl: fixed typo introduced in 4f8b1774Dan Fandrich
2016-11-26curl_version_info: add CURL_VERSION_HTTPS_PROXYOkhin Vasilij
Closes #1142
2016-11-25HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEYThomas Glanzmann
2016-11-24checksrc: move open braces to comply with function declaration styleDaniel Stenberg
2016-11-24checksrc: white space edits to comply to stricter checksrcDaniel Stenberg
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg