aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2017-03-08vtls: add options to specify range of enabled TLS versionsJozef Kralik
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166
2017-03-03build: fix gcc7 implicit fallthrough warningsAlexis La Goutte
Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know it's expected and won't warn on [-Wimplicit-fallthrough=]. Closes https://github.com/curl/curl/pull/1297
2017-03-02darwinssl: Warn that disabling host verify also disables SNIJDepooter
In DarwinSSL the SSLSetPeerDomainName function is used to enable both sending SNI and verifying the host. When host verification is disabled the function cannot be called, therefore SNI is disabled as well. Closes https://github.com/curl/curl/pull/1240
2017-02-26cyassl: get library version string at runtimeJay Satiro
wolfSSL >= 3.6.0 supports getting its library version string at runtime.
2017-02-21cyassl: fix typoJay Satiro
2017-02-15axtls: adapt to API changesDaniel Stenberg
Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS < 2.1.0 (the older API) ... and fix the session_id mixup brought in 04b4ee549 Fixes #1220
2017-02-09nss: make FTPS work with --proxytunnelKamil Dudka
If the NSS code was in the middle of a non-blocking handshake and it was asked to finish the handshake in blocking mode, it unexpectedly continued in the non-blocking mode, which caused a FTPS connection over CONNECT to fail with "(81) Socket not ready for send/recv". Bug: https://bugzilla.redhat.com/1420327
2017-02-08polarssl, mbedtls: Fix detection of pending dataMichael Kaufmann
Reported-by: Dan Fandrich Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
2017-02-07darwinssl: Avoid parsing certificates when not in verbose modeDaniel Gustafsson
The information extracted from the server certificates in step 3 is only used when in verbose mode, and there is no error handling or validation performed as that has already been done. Only run the certificate information extraction when in verbose mode and libcurl was built with verbose strings. Closes https://github.com/curl/curl/pull/1246
2017-02-07schannel: Remove incorrect SNI disabled messageJDepooter
- Remove the SNI disabled when host verification disabled message since that is incorrect. - Show a message for legacy versions of Windows <= XP that connections may fail since those versions of WinSSL lack SNI, algorithms, etc. Bug: https://github.com/curl/curl/pull/1240
2017-01-31openssl: Don't use certificate after transferring ownershipAdam Langley
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate while, despite the similar name, SSL_CTX_add_client_CA does not. Thus it's best to call SSL_CTX_add_client_CA before SSL_CTX_add_extra_chain_cert, while the code still has ownership of the argument. Closes https://github.com/curl/curl/pull/1236
2017-01-29mbedtls: implement CTR-DRBG and HAVEGE random generatorsAntoine Aubert
closes #1227
2017-01-28mbedtls: disable TLS session ticketsMichael Kaufmann
SSL session reuse with TLS session tickets is not supported yet. Use SSL session IDs instead. See https://github.com/curl/curl/issues/1109
2017-01-28gnutls: disable TLS session ticketsMichael Kaufmann
SSL session reuse with TLS session tickets is not supported yet. Use SSL session IDs instead. Fixes https://github.com/curl/curl/issues/1109
2017-01-28polarssl: fix hangsMichael Kaufmann
This bugfix is similar to commit c111178bd4.
2017-01-22vtls: source indentation fixDaniel Stenberg
2017-01-20vtls: fix PolarSSL non-blocking handlingDaniel Stenberg
A regression brought in cb4e2be Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
2017-01-20vtls: fix mbedtls multi non blocking handshake.Antoine Aubert
When using multi, mbedtls handshake is in non blocking mode. vtls must set wait for read/write flags for the socket. Closes #1223
2017-01-17openssl: Fix random generationJay Satiro
- Fix logic error in Curl_ossl_random. Broken a few days ago in 807698d.
2017-01-15nss: use the correct lock in nss_find_slot_by_name()Kamil Dudka
2017-01-13gnutls: check for alpn and ocsp in configureMarcus Hoffmann
Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during configure instead of relying on the version number. GnuTLS has options to turn these features off and we ca just work with with such builds like we work with older versions. Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com> Closes #1204
2017-01-12rand: make it work without TLS backingDaniel Stenberg
Regression introduced in commit f682156a4fc6c4 Reported-by: John Kohl Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
2017-01-07wolfssl: display negotiated SSL version and cipherDan Fandrich
2017-01-06wolfssl: support setting cipher listDan Fandrich
2017-01-03darwinssl: --insecure overrides --cacert if both settings are in useNick Zitzmann
Fixes #1184
2016-12-27darwinssl: fix CFArrayRef leakChris Araman
Reviewed-by: Nick Zitzmann Closes #1173
2016-12-27darwinssl: fix iOS buildChris Araman
Reviewed-by: Nick Zitzmann Fixes #1172
2016-12-26vtls: s/SSLEAY/OPENSSLDaniel Stenberg
Fixed an old leftover use of the USE_SSLEAY define which would make a socket get removed from the applications sockets to monitor when the multi_socket API was used, leading to timeouts. Bug: #1174
2016-12-24cyassl: use time_t instead of long for timeoutJay Satiro
2016-12-23openssl-random: check return code when asking for randomDaniel Stenberg
and fail appropriately if it returns error
2016-12-23gnutls-random: check return code for failed randomDaniel Stenberg
2016-12-19schannel: fix wildcard cert name validation on Win CEDan McNulty
Fixes a few issues in manual wildcard cert name validation in schannel support code for Win32 CE: - when comparing the wildcard name to the hostname, the wildcard character was removed from the cert name and the hostname was checked to see if it ended with the modified cert name. This allowed cert names like *.com to match the connection hostname. This violates recommendations from RFC 6125. - when the wildcard name in the certificate is longer than the connection hostname, a buffer overread of the connection hostname buffer would occur during the comparison of the certificate name and the connection hostname.
2016-12-18openssl: simplify expression in Curl_ossl_versionMichael Kaufmann
2016-12-14checksrc: warn for assignments within if() expressionsDaniel Stenberg
... they're already frowned upon in our source code style guide, this now enforces the rule harder.
2016-12-13checksrc: stricter no-space-before-paren enforcementDaniel Stenberg
In order to make the code style more uniform everywhere
2016-12-07openssl: don't use OpenSSL's ERR_PACK.Adam Langley
ERR_PACK is an internal detail of OpenSSL. Also, when using it, a function name must be specified which is overly specific: the test will break whenever OpenSSL internally change things so that a different function creates the error. Closes #1157
2016-11-30cyassl: fixed typo introduced in 4f8b1774Dan Fandrich
2016-11-26curl_version_info: add CURL_VERSION_HTTPS_PROXYOkhin Vasilij
Closes #1142
2016-11-25HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEYThomas Glanzmann
2016-11-24checksrc: move open braces to comply with function declaration styleDaniel Stenberg
2016-11-24checksrc: white space edits to comply to stricter checksrcDaniel Stenberg
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg
2016-11-24openssl: remove dead codeDaniel Stenberg
Coverity CID 1394666
2016-11-24HTTPS-proxy: fixed mbedtls and polishingOkhin Vasilij
2016-11-24darwinssl: adopted to the HTTPS proxy changesDaniel Stenberg
It builds and runs all test cases. No adaptations for actual HTTPS proxy support has been made.
2016-11-24gtls: fix indent to silence compiler warningDaniel Stenberg
vtls/gtls.c: In function ‘Curl_gtls_data_pending’: vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation] if(conn->proxy_ssl[connindex].session && ^~ vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’ return res;
2016-11-24mbedtls: Fix compile errorsThomas Glanzmann
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-24Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.Patrick Monnerat
See CRL-01-006.
2016-11-19vtls: fix build warningsMarcel Raad
Fix warnings about conversions from long to time_t in openssl.c and schannel.c. Follow-up to de4de4e3c7c