Age | Commit message (Collapse) | Author |
|
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
--ssl-revoke-best-effort to allow a "best effort" revocation check.
A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.
---
When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:
Unknown error (0x80092012) - The revocation function was unable
to check revocation for the certificate.
Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.
This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.
In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.
Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).
To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.
Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.
The test 2070 was added to verify this behavior, adapted from 310.
Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes https://github.com/curl/curl/pull/4981
|
|
- If an easy handle is owned by a multi different from the one specified
then return CURLM_BAD_EASY_HANDLE.
Prior to this change I assume user error could cause corruption.
Closes https://github.com/curl/curl/pull/5116
|
|
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters
Reviewed-by: Marc Hörsken
Closes https://github.com/curl/curl/pull/5088
|
|
Makes curl_easy_getinfo() of "variable" numerical content instead return
the number set in the env variable `CURL_TIME`.
Makes curl_version() of "variable" textual content. This guarantees a
stable version string which can be tested against. Environment variable
`CURL_VERSION` defines the content.
Assisted-by: Mathias Gumz
|
|
This commit adds support to generate JSON via the writeout feature:
-w "%{json}"
It leverages the existing infrastructure as much as possible. Thus,
generating the JSON on STDERR is possible by:
-w "%{stderr}%{json}"
This implements a variant of
https://github.com/curl/curl/wiki/JSON#--write-out-json.
Closes #4870
|
|
My working build cmdline:
$ cmake -DCMAKE_PREFIX_PATH=$HOME/build-wolfssl -DCMAKE_USE_WOLFSSL=ON .
Assisted-by: Brad King
Closes #5095
|
|
Torture testing 2034 and 2037 found this.
Reported-by: Marc Hörsken
Fixes #5108
Closes #5109
|
|
Follow-up from 083603c63a3
|
|
Follow up to c52b342
Closes #5106
|
|
When libcurl retries a connection due to it being "seemingly dead" or by
REFUSED_STREAM, it will now only do it up five times before giving up,
to avoid never-ending loops.
Reported-by: Dima Tisnek
Bug: https://curl.haxx.se/mail/lib-2020-03/0044.html
Closes #5074
|
|
|
|
Detected by Codacy
|
|
Reviewed by Daniel Stenberg
Reviewed by Marcel Raad
Closes #5078
|
|
Make sure each separate index in connn->tempaddr[] is used for a fixed
family (and only that family) during the connection process.
If family one takes a long time and family two fails immediately, the
previous logic could misbehave and retry the same family two address
repeatedly.
Reported-by: Paul Vixie
Reported-by: Jay Satiro
Fixes #5083
Fixes #4954
Closes #5089
|
|
- s/COFF/coff/
Some versions of windres do not recognize uppercase COFF as a valid
way to specify the COFF output format.
Reported-by: Steven Penny
Fixes https://github.com/curl/curl/issues/5099
Closes https://github.com/curl/curl/pull/5101
|
|
- Ignore CURLE_NOT_BUILT_IN errors returned by c-ares functions in
curl_easy_duphandle.
Prior to this change if c-ares was used as the resolver backend and
either it was too old or libcurl was built without IPv6 support then
some of our resolver functions could return CURLE_NOT_BUILT_IN to
curl_easy_duphandle causing it to fail.
Caused by c8f086b which shipped in 7.69.1.
Reported-by: Karl Chen
Fixes https://github.com/curl/curl/issues/5097
Closes https://github.com/curl/curl/pull/5100
|
|
This fix adds a defensive check for the case where the char *name in
struct libssh2_knownhost is NULL
Fixes #5041
Closes #5062
|
|
1. The socks4 state machine was broken in the host resolving phase
2. The code now insists on IPv4-only when using SOCKS4 as the protocol
only supports that.
Regression from #4907 and 4a4b63d, shipped in 7.69.0
Reported-by: amishmm on github
Bug: https://github.com/curl/curl/issues/5053#issuecomment-596191594
Closes #5061
|
|
This silents a compilation warning with gcc -O3.
|
|
Closed #5030
|
|
|
|
New test 666 checks this is effective.
As upload buffer size is significant in this kind of tests, shorten it
in similar test 652.
Fixes #4860
Closes #4833
Reported-by: RuurdBeerstra on github
|
|
Input buffer filling may delay the data sending if data reads are slow.
To overcome this problem, file and callback data reads do not accumulate
in buffer anymore. All other data (memory data and mime framing) are
considered as fast and still concatenated in buffer.
As this may highly impact performance in terms of data overhead, an early
end of part data check is added to spare a read call.
When encoding a part's data, an encoder may require more bytes than made
available by a single read. In this case, the above rule does not apply
and reads are performed until the encoder is able to deliver some data.
Tests 643, 644, 645, 650 and 654 have been adapted to the output data
changes, with test data size reduced to avoid the boredom of long lists of
1-byte chunks in verification data.
New test 667 checks mimepost using single-byte read callback with encoder.
New test 668 checks the end of part data early detection.
Fixes #4826
Reported-by: MrdUkk on github
|
|
In case a read callback returns a status (pause, abort, eof,
error) instead of a byte count, drain the bytes read so far but
remember this status for further processing.
Takes care of not losing data when pausing, and properly resume a
paused mime structure when requested.
New tests 670-673 check unpausing cases, with easy or multi
interface and mime or form api.
Fixes #4813
Reported-by: MrdUkk on github
|
|
With c-ares the dns parameters lives in ares_channel. Store them in the
curl handle and set them again in easy_duphandle.
Regression introduced in #3228 (6765e6d), shipped in curl 7.63.0.
Fixes #4893
Closes #5020
Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
|
|
Closes #5010
|
|
|
|
|
|
There might be data available that was already read off the socket, for
example in the TLS layer.
Reported-by: Anders Berg
Fixes #4966
Closes #5049
|
|
Regression from 4a4b63d (and #4907)
Reported-by: vitaha85 on github
Fixes #5053
Closes #5056
|
|
Prior to this change a match would never be successful because it
was mistakenly coded to compare binary data from libssh to a
user-specified hex string (ie CURLOPT_SSH_HOST_PUBLIC_KEY_MD5).
Reported-by: fds242@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/4971
Closes https://github.com/curl/curl/pull/4974
|
|
A NULL easy handle or an easy handle without an associated connection
cannot be paused or unpaused.
Closes #5050
|
|
Reviewed-by: Patrick Monnerat
Ref: #4833
Closes #5026
|
|
- Don't check errno on wakeup socket if sread returned 0 since sread
doesn't set errno in that case.
This is a follow-up to cf7760a from several days ago which fixed
Curl_multi_wait to stop busy looping sread on the non-blocking wakeup
socket if it was closed (ie sread returns 0). Due to a logic error it
was still possible to busy loop in that case if errno == EINTR.
Closes https://github.com/curl/curl/pull/5047
|
|
|
|
... as it is never set anywhere.
Follow-up to 2f44e94ef
Closes #5046
|
|
This reverts commit fa0216b294af4c7113a9040ca65eefc7fc18ac1c (from #5000)
Clearly that didn't solve the problem correctly.
Reported-by: Christopher Reid
Reopens #4966
Fixes #5044
|
|
Assisted-by: Jay Satiro
Follow-up to 6357a19ff29dac04
Closes #5036
|
|
This reverts commit 4feb38deed33fed14ff7c370a6a9153c661dbb9c (from #4956)
That commit broke test 1610 on macos builds without TLS.
Closes #5027
|
|
Reviewed-by: Daniel Stenberg
Closes #4956
|
|
|
|
|
|
|
|
|
|
|
|
We can use CC_MD4_Init/Update/Final without having to allocate memory
directly.
Closes #4979
|
|
It's unclear why it would ever return zero here, but this change fixes
Robert's problem and it shouldn't loop forever...
Reported-by: Robert Dunaj
Bug: https://curl.haxx.se/mail/archive-2020-02/0011.html
Closes #5019
|
|
As we have logic that checks if we get a >= 400 reponse code back before
the upload is done, which then got confused since it wasn't "done" but
yet there was no data to send!
Reported-by: IvanoG on github
Fixes #4996
Closes #5002
|
|
Due to the merge/revert cycle
|
|
This reverts commit 87869e38d7afdec3ef1bb4965711458b088e254f.
Fixes #5014
Closes #5015
Reopens #4833
|