Age | Commit message (Collapse) | Author |
|
|
|
TLS False Start support requires iOS 7.0 or later, or OS X 10.9 or later.
|
|
Coverity CID 1291167 pointed out that 'rc' was received but never used when
gnutls_credentials_set() was used. Added return code check now.
|
|
Coverity CID 1291165 pointed out 'chainp' could be dereferenced when
NULL if gnutls_certificate_get_peers() had previously failed.
|
|
Coverity CID 1291166 pointed out that we could read this variable
uninitialized.
|
|
|
|
|
|
|
|
This option can be used to enable/disable TLS False Start defined in the RFC
draft-bmoeller-tls-falsestart.
|
|
|
|
|
|
|
|
... if disabled at libcurl level. Otherwise, we would allow to
negotiate NPN despite curl was invoked with the --no-npn option.
|
|
|
|
|
|
The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is therefore not needed that a function caller
repeats a corresponding check.
http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first
This issue was fixed by using the software Coccinelle 1.0.0-rc24.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
|
|
While the previous string worked, this is the documented format.
Reported-by: Richard Moore
|
|
This makes curl pick better (stronger) ciphers by default. The strongest
available ciphers are fine according to the HTTP/2 spec so an OpenSSL
built curl is no longer rejected by string HTTP/2 servers.
Bug: http://curl.haxx.se/bug/view.cgi?id=1487
|
|
|
|
|
|
|
|
Instead of priting cipher and MAC algorithms names separately, print the
whole cipher suite string which also includes the key exchange algorithm,
along with the negotiated TLS version.
|
|
|
|
|
|
Since they already exist and will make comparing easier
|
|
|
|
|
|
|
|
|
|
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
|
|
No need to use _MPRINTF_REPLACE internally.
|
|
In that case, we only skip writing the error message for failed NSS
initialization (while still returning the correct error code).
|
|
The vtls layer now checks the return value, so it is no longer necessary
to abort if a random number cannot be provided by NSS. This also fixes
the following Coverity report:
Error: FORWARD_NULL (CWE-476):
lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null.
lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it.
lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
|
|
Correctly check for memcmp() return value (it returns 0 if the strings match).
This is not really important, since curl is going to use http/1.1 anyway, but
it's still a bug I guess.
|
|
Correctly check for strncmp() return value (it returns 0 if the strings
match).
|
|
|
|
|
|
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
|
|
For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.
|
|
Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
|
|
Prior to this change the options for exclusive SSL protocol versions did
not actually set the protocol exclusive.
http://curl.haxx.se/mail/lib-2015-01/0002.html
Reported-by: Dan Fandrich
|
|
|
|
Removed the curl_ prefix from the schannel source files as discussed
with Marc and Daniel at FOSDEM.
|
|
|
|
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!
Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
|
|
|
|
|
|
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
|
|
Fixed the build of openssl.c when OpenSSL is built without the necessary
TLS extensions for OCSP stapling.
Reported-by: John E. Malmberg
|
|
|