Age | Commit message (Collapse) | Author |
|
|
|
The module contains a more comprehensive set of trust information than
supported by nss-pem, because libnssckbi.so also includes information
about distrusted certificates.
Reviewed-by: Kai Engert
Closes #1414
|
|
No change of behavior is intended by this commit.
|
|
It could prevent nss-pem from being unloaded later on.
Bug: https://bugzilla.redhat.com/1444860
|
|
This commit fixes compilation failure caused by
cbae73e1dd95946597ea74ccb580c30f78e3fa73.
|
|
- Track when the cached encrypted data contains only a partial record
that can't be decrypted without more data (SEC_E_INCOMPLETE_MESSAGE).
- Change Curl_schannel_data_pending to return false in such a case.
Other SSL libraries have pending data functions that behave similarly.
Ref: https://github.com/curl/curl/pull/1387
Closes https://github.com/curl/curl/pull/1392
|
|
This reduces the binary size and fixes a compile warning.
|
|
... when failing to get the server certificate.
|
|
This fixes 3 warnings issued by MinGW:
1. PR_ImportTCPSocket actually has a paramter of type PROsfd instead of
PRInt32, which is 64 bits on Windows. Fixed this by including the
corresponding header file instead of redeclaring the function, which is
supported even though it is in the private include folder. [1]
2. In 64-bit mode, size_t is 64 bits while CK_ULONG is 32 bits, so an explicit
narrowing cast is needed.
3. Curl_timeleft returns time_t instead of long since commit
21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket
Closes https://github.com/curl/curl/pull/1393
|
|
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.
Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.
Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com
The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
|
|
X.509 certificates carry public keys, not private keys. Fields
corresponding to the private half of the key will always be NULL.
Closes #1425
|
|
ERR_error_string with NULL parameter is not thread-safe. The library
writes the string into some static buffer. Two threads doing this at
once may clobber each other and run into problems. Switch to
ERR_error_string_n which avoids this problem and is explicitly
bounds-checked.
Also clean up some remnants of OpenSSL 0.9.5 around here. A number of
comments (fixed buffer size, explaining that ERR_error_string_n was
added in a particular version) date to when ossl_strerror tried to
support pre-ERR_error_string_n OpenSSLs.
Closes #1424
|
|
Rather than making assumptions about the values, use a switch-case.
Closes #1424
|
|
Add missing our_ssl_sessionid free call in mbed_connect_step3().
Closes #1417
|
|
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.
Suggested-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1401
|
|
Closes #1402
|
|
... because they may include an intermediate certificate for a client
certificate and the intermediate certificate needs to be presented to
the server, no matter if we verify the peer or not.
Reported-by: thraidh
Closes #851
|
|
... by moving the variables into the correct #ifdef block.
|
|
When UNICODE is not defined, the Curl_convert_UTF8_to_tchar macro maps
directly to its argument. As it is declared as a pointer to const and
InitializeSecurityContext expects a pointer to non-const, both MSVC and MinGW
issue a warning about implicitly casting away the const. Fix this by declaring
the variables as pointers to non-const.
Closes https://github.com/curl/curl/pull/1394
|
|
Curl_timeleft returns time_t instead of long since commit
21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
|
|
Curl_llist_alloc is now Curl_llist_init.
Closes https://github.com/curl/curl/pull/1391
|
|
If CURL_DISABLE_VERBOSE_STRINGS is defined, hostname is not used in
schannel_connect_step3.
|
|
- Fix compile errors that occur in openssl.c when OpenSSL lib was
built without DSA support.
Bug: https://github.com/curl/curl/issues/1361
Reported-by: neheb@users.noreply.github.com
|
|
No need to redeclare the variable.
|
|
Closes #1356
|
|
|
|
|
|
- If SSL_get_error is called but no extended error detail is available
then show that SSL_ERROR_* as a string.
Prior to this change there was some inconsistency in that case: the
SSL_ERROR_* code may or may not have been shown, or may have been shown
as unknown even if it was known.
Ref: https://github.com/curl/curl/issues/1300
Closes https://github.com/curl/curl/pull/1348
|
|
Ref: https://curl.haxx.se/mail/lib-2017-02/0097.html
Closes https://github.com/curl/curl/pull/1272
|
|
Broken a week ago in 6448f98.
Closes https://github.com/curl/curl/pull/1337
|
|
... by removing the else branch after a return, break or continue.
Closes #1310
|
|
Broken a few days ago in 6448f98.
Bug: https://curl.haxx.se/mail/lib-2017-03/0015.html
|
|
CID 1402159 and 1402158
|
|
|
|
Verified with OpenSSL 1.1.0e and OpenSSL master (1.1.1)
|
|
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.
Closes https://github.com/curl/curl/pull/1166
|
|
Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know
it's expected and won't warn on [-Wimplicit-fallthrough=].
Closes https://github.com/curl/curl/pull/1297
|
|
In DarwinSSL the SSLSetPeerDomainName function is used to enable both
sending SNI and verifying the host. When host verification is disabled
the function cannot be called, therefore SNI is disabled as well.
Closes https://github.com/curl/curl/pull/1240
|
|
wolfSSL >= 3.6.0 supports getting its library version string at runtime.
|
|
|
|
Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
< 2.1.0 (the older API)
... and fix the session_id mixup brought in 04b4ee549
Fixes #1220
|
|
If the NSS code was in the middle of a non-blocking handshake and it
was asked to finish the handshake in blocking mode, it unexpectedly
continued in the non-blocking mode, which caused a FTPS connection
over CONNECT to fail with "(81) Socket not ready for send/recv".
Bug: https://bugzilla.redhat.com/1420327
|
|
Reported-by: Dan Fandrich
Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
|
|
The information extracted from the server certificates in step 3 is only
used when in verbose mode, and there is no error handling or validation
performed as that has already been done. Only run the certificate
information extraction when in verbose mode and libcurl was built with
verbose strings.
Closes https://github.com/curl/curl/pull/1246
|
|
- Remove the SNI disabled when host verification disabled message
since that is incorrect.
- Show a message for legacy versions of Windows <= XP that connections
may fail since those versions of WinSSL lack SNI, algorithms, etc.
Bug: https://github.com/curl/curl/pull/1240
|
|
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
it's best to call SSL_CTX_add_client_CA before
SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
argument.
Closes https://github.com/curl/curl/pull/1236
|
|
closes #1227
|
|
SSL session reuse with TLS session tickets is not supported yet.
Use SSL session IDs instead.
See https://github.com/curl/curl/issues/1109
|
|
SSL session reuse with TLS session tickets is not supported yet.
Use SSL session IDs instead.
Fixes https://github.com/curl/curl/issues/1109
|
|
This bugfix is similar to commit c111178bd4.
|