Age | Commit message (Collapse) | Author |
|
There are server certificates used with IP address in the CN field, but
we MUST not allow wild cart certs for hostnames given as IP addresses
only. Therefore we must make Curl_cert_hostcheck() fail such attempts.
Bug: http://curl.haxx.se/docs/adv_20140326B.html
Reported-by: Richard Moore
|
|
In addition to FTP, other connection based protocols such as IMAP, POP3,
SMTP, SCP, SFTP and LDAP require a new connection when different log-in
credentials are specified. Fixed the detection logic to include these
other protocols.
Bug: http://curl.haxx.se/docs/adv_20140326A.html
|
|
The debug messages printed inside PolarSSL always seems to end with a
newline. So 'infof()' should not add one. Besides the trace 'line'
should be 'const'.
|
|
The parser skipped the initial letter, which presumably often is
whitespace but doesn't have to be.
Reported-by: Mike Hasselberg
Bug: http://curl.haxx.se/mail/lib-2014-03/0134.html
|
|
It leads to the "next family" tries starting from the wrong point and thus
fails!
Bug: http://curl.haxx.se/bug/view.cgi?id=1337
Reported-by: ricker
|
|
Because of the socket is unblocking, PolarSSL does need call to getsock to
get the action to perform in multi environment.
In some cases, it might happen we have not received yet all data to perform
the handshake. ssh_handshake returns POLARSSL_ERR_NET_WANT_READ, the state
is updated but because of the getsock has not the proper #define macro to,
the library never prevents to select socket for input thus the socket will
never be awaken when last data is available. Thus it leads to timeout.
|
|
Remove all #ifdef/else/endif macros that ensure compatibility with polarssl
version previous than 1.3.
|
|
API has changed since version 1.3. A compatibility header has been created
to ensure forward compatibility for code using old API:
* x509 certificate structure has been renamed to from x509_cert to
x509_crt
* new dedicated setter for RSA certificates ssl_set_own_cert_rsa,
ssl_set_own_cert is for generic keys
* ssl_default_ciphersuites has been replaced by function
ssl_list_ciphersuites()
This patch drops the use of the compatibly header.
|
|
|
|
Also fixed a function name change in the version requirement bump
|
|
Rename x509_cert to x509_crt and add "compat-1.2.h"
include.
This would still need some more thorough conversion
in order to drop "compat-1.2.h" include.
|
|
... if built against a new enough version of NSS
|
|
... if built against a new enough version of NSS
|
|
... but allow them to be enabled/disabled explicitly. The default
policy should be maintained at the NSS level.
|
|
|
|
|
|
|
|
|
|
... and use Curl_safefree() instead of free()
|
|
Patch-by: byte_bucket
|
|
|
|
|
|
Also, combined a couple of #ifdef sections
|
|
|
|
|
|
Port number zero is perfectly allowed to connect to. I moved to storing
the remote port number in an int so that -1 means undefined and 0-65535
can be used for legitimate port numbers.
|
|
Setting the TIMER_STARTSINGLE timestamp first in CONNECT has the
drawback that for actions that go back to the CONNECT state, the time
stamp is reset and for the multi_socket API there's no corresponding
Curl_expire() then so the timeout logic gets wrong!
Reported-by: Brad Spencer
Bug: http://curl.haxx.se/mail/lib-2014-02/0036.html
|
|
|
|
|
|
... as it isn't used then!
|
|
|
|
Remove slash/backslash problem, now only slashes are used,
Wmake automaticaly translate slash/backslash to proper version or tools are not sensitive for it.
Enable spaces in path.
Use internal rm command for all host platforms
Add error message if old Open Watcom version is used. Some old versions exhibit build problems for Curl latest version. Now only versions 1.8, 1.9 and 2.O beta are supported
|
|
Remove compilation message for platforms where size of long type
is equal size of int type.
|
|
|
|
For HTTP/2, we may read up everything including responde body with
header fields in Curl_http_readwrite_headers. If no content-length is
provided, curl waits for the connection close, which we emulate it
using conn->proto.httpc.closed = TRUE. The thing is if we read
everything, then http2_recv won't be called and we cannot signal the
HTTP/2 stream has closed. As a workaround, we return nonzero from
data_pending to call http2_recv.
|
|
nghttp2 has yet again extended its callback struct and this is an
attempt to make curl compile with nghttp2 from current git
|
|
darwinssl: don't omit CN verification when an IP address is used
|
|
|
|
Original commit message was:
Don't omit CN verification in SChannel when an IP address is used.
Side-effect of this change:
SChannel and CryptoAPI do not support the iPAddress subjectAltName
according to RFC 2818. If present, SChannel will first compare the
IP address to the dNSName subjectAltNames and then fallback to the
most specific Common Name in the Subject field of the certificate.
This means that after this change curl will not connect to SSL/TLS
hosts as long as the IP address is not specified in the SAN or CN
of the server certificate or the verifyhost option is disabled.
|
|
|
|
|
|
When asking for an SFTP directory with NOBODY set, no directory contents
should be retrieved.
Bug: http://curl.haxx.se/mail/lib-2014-02/0155.html
|
|
|
|
This patch enables HTTP POST/PUT in HTTP2.
We disabled Expect header field and chunked transfer encoding
since HTTP2 forbids them.
In HTTP1, Curl sends small upload data with request headers, but
HTTP2 requires upload data must be in DATA frame separately.
So we added some conditionals to achieve this.
|
|
When the multi API is used we must also ignore SIGPIPE signals when
caused by things we do, like they can easily be generated by OpenSSL.
|
|
It now disables NTLM and GSS authentication methods, and produces
compilable code when SSL is enabled.
|
|
... as documented!
|
|
|
|
Perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. Depending on connection and how often perform is
being called this can save ~25% of time on SSL handshakes (measured
on 20ms latency connection calling perform roughly every 10ms).
|
|
When allowing NTLM, the re-use connection logic was too focused on
finding an existing NTLM connection to use and didn't properly allow
re-use of other ones. This made the logic not re-use perfectly re-usable
connections.
Added test case 1418 and 1419 to verify.
Regression brought in 8ae35102c (curl 7.35.0)
Reported-by: Jeff King
Bug: http://thread.gmane.org/gmane.comp.version-control.git/242213
|