aboutsummaryrefslogtreecommitdiff
path: root/src/tool_help.c
AgeCommit message (Collapse)Author
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16tool_help: Clarify --dump-header only writes received headersJay Satiro
2016-11-15curl: add --fail-early to help outputDaniel Stenberg
Fixes test 1139 failures Follow-up to f82bbe01c8835
2016-11-11curl: Add --retry-connrefusedDaniel Hwang
to consider ECONNREFUSED as a transient error. Closes #1064
2016-11-07curl: introduce the --tlsv1.3 option to force TLS 1.3Kamil Dudka
Fully implemented with the NSS backend only for now. Reviewed-by: Ray Satiro
2016-04-29curl: show the long option version of -q in the -h listDaniel Stenberg
2016-04-29curl: mention --ntlm-wb in -h listDaniel Stenberg
2016-04-29curl: -h output lacked --proxy-headerDaniel Stenberg
2016-04-18tool: add --tcp-fastopen optionAlessandro Ghedini
2016-04-17news: CURLOPT_CONNECT_TO and --connect-toMichael Kaufmann
Makes curl connect to the given host+port instead of the host+port found in the URL.
2016-03-31http2: support "prior knowledge", no upgrade from HTTP/1.1Diego Bes
Supports HTTP/2 over clear TCP - Optimize switching to HTTP/2 by removing calls to init and setup before switching. Switching will eventually call setup and setup calls init. - Supports new version to “force” the use of HTTP/2 over clean TCP - Add common line parameter “--http2-prior-knowledge” to the Curl command line tool.
2016-02-23TFTP: add option to suppress TFTP option requests (Part 2)Jay Satiro
- Add tests. - Add an example to CURLOPT_TFTP_NO_OPTIONS.3. - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS. Bug: https://github.com/curl/curl/issues/481
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-12-15curl --expect100-timeout: addedDaniel Stenberg
This is the new command line option to set the value for the existing libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
2015-10-17cookies: Add support for Mozilla's Publix Suffix ListTim Rühsen
Use libpsl to check the domain value of Set-Cookie headers (and cookie jar entries) for not being a Publix Suffix. The configure script checks for "libpsl" by default. Disable the check with --without-libpsl. Ref: https://publicsuffix.org/ Ref: https://github.com/publicsuffix/list Ref: https://github.com/rockdaboot/libpsl
2015-08-22CURLOPT_DEFAULT_PROTOCOL: addedNathaniel Waisbrot
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default protocol for schemeless URLs. - Add new tool option --proto-default to expose CURLOPT_DEFAULT_PROTOCOL. In the case of schemeless URLs libcurl will behave in this way: When the option is used libcurl will use the supplied default. When the option is not used, libcurl will follow its usual plan of guessing from the hostname and falling back to 'http'.
2015-07-17SSL: Add an option to disable certificate revocation checksJay Satiro
New tool option --ssl-no-revoke. New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. Currently this option applies only to WinSSL where we have automatic certificate revocation checking by default. According to the ssl-compared chart there are other backends that have automatic checking (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at some later point. Bug: https://github.com/bagder/curl/issues/264 Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-06-21tool_help: fix --tlsv1 help text to use >= for TLSv1Lior Kaplan
2015-06-18tool: always provide negotiate/kerberos optionsDaniel Stenberg
libcurl can still be built with it, even if the tool is not. Maintain independence!
2015-06-08help: Add --proxy-service-name and --service-name to the --help outputLinus Nielsen
2015-05-08tool_help: fix formatting for --next optionAlessandro Ghedini
2015-04-25tool: New option --data-raw to HTTP POST data, '@' allowed.Anthony Avina
Add new option --data-raw which is almost the same as --data but does not have a special interpretation of the @ character. Prior to this change there was no (easy) way to pass the @ character as the first character in POST data without it being interpreted as a special character. Bug: https://github.com/bagder/curl/issues/198 Reported-by: Jens Rantil
2015-04-22cyassl: Implement public key pinningJay Satiro
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-22nss: implement public key pinning for NSS backendKamil Dudka
Bug: https://bugzilla.redhat.com/1195771
2015-03-24CURLOPT_PATH_AS_IS: addedDaniel Stenberg
--path-as-is is the command line option Added docs in curl.1 and CURLOPT_PATH_AS_IS.3 Added test in test 1241
2015-03-20curl: add --false-start optionAlessandro Ghedini
2015-01-16help: add --cert-status to --help outputDaniel Stenberg
2014-12-26code/docs: Use Unix rather than UNIX to avoid use of the trademarkSteve Holme
Use Unix when generically writing about Unix based systems as UNIX is the trademark and should only be used in a particular product's name.
2014-12-25tool_help: Use camel case for UNIX sockets feature outputSteve Holme
In line with the other features listed in the --version output, capitalise the UNIX socket feature.
2014-12-04tool: add --unix-socket optionPeter Wu
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2014-12-04libcurl: add UNIX domain sockets supportPeter Wu
The ability to do HTTP requests over a UNIX domain socket has been requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a discussion happened, no patch seems to get through. I decided to give it a go since I need to test a nginx HTTP server which listens on a UNIX domain socket. One patch [3] seems to make it possible to use the CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket. Another person wrote a Go program which can do HTTP over a UNIX socket for Docker[4] which uses a special URL scheme (though the name contains cURL, it has no relation to the cURL library). This patch considers support for UNIX domain sockets at the same level as HTTP proxies / IPv6, it acts as an intermediate socket provider and not as a separate protocol. Since this feature affects network operations, a new feature flag was added ("unix-sockets") with a corresponding CURL_VERSION_UNIX_SOCKETS macro. A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This option enables UNIX domain sockets support for all requests on the handle (replacing IP sockets and skipping proxies). A new configure option (--enable-unix-sockets) and CMake option (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I deliberately did not mark this feature as advanced, this is a feature/component that should easily be available. [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/ [2]: http://sourceforge.net/p/curl/feature-requests/53/ [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html [4]: https://github.com/Soulou/curl-unix-socket Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2014-11-24SSL: Add PEM format support for public key pinningmoparisthebest
2014-11-15tool: Removed krb4 from the supported featuresSteve Holme
Although libcurl would never return CURL_VERSION_KERBEROS4 after 7.33, so would not be output with --version, removed krb4 from the supported features output.
2014-11-15tool: Use Kerberos for supported featuresMichael Osipov
2014-11-07curl_tool: Added krb5 to the supported featuresSteve Holme
2014-10-07SSL: implement public key pinningmoparisthebest
Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
2014-08-19help output: minor whitespace editsDaniel Stenberg
Should've been amended in the previous commit but wasn't due to a mistake.
2014-08-19help output: use ≥2 spaces between option and descriptionZearin
... and some other cleanups
2014-07-23docs: Improve inline GSS-API naming in code documentationMichael Osipov
2014-07-23curl.h/features: Deprecate GSS-Negotiate macros due to bad namingMichael Osipov
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE - CURL_VERSION_GSSNEGOTIATE is deprecated which is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and CURUL_VERSION_SPNEGO now. - Remove display of feature 'GSS-Negotiate'
2014-07-23configure/features: Add feature and version info for GSS-API and SPNEGOMichael Osipov
2014-07-16Remove all traces of FBOpenSSL SPNEGO supportDavid Woodhouse
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which allows client and server to negotiate the underlying mechanism which will actually be used to authenticate. This is *often* Kerberos, and can also be NTLM and other things. And to complicate matters, there are various different OIDs which can be used to specify the Kerberos mechanism too. A SPNEGO exchange will identify *which* GSSAPI mechanism is being used, and will exchange GSSAPI tokens which are appropriate for that mechanism. But this SPNEGO implementation just strips the incoming SPNEGO packet and extracts the token, if any. And completely discards the information about *which* mechanism is being used. Then we *assume* it was Kerberos, and feed the token into gss_init_sec_context() with the default mechanism (GSS_S_NO_OID for the mech_type argument). Furthermore... broken as this code is, it was never even *used* for input tokens anyway, because higher layers of curl would just bail out if the server actually said anything *back* to us in the negotiation. We assume that we send a single token to the server, and it accepts it. If the server wants to continue the exchange (as is required for NTLM and for SPNEGO to do anything useful), then curl was broken anyway. So the only bit which actually did anything was the bit in Curl_output_negotiate(), which always generates an *initial* SPNEGO token saying "Hey, I support only the Kerberos mechanism and this is its token". You could have done that by manually just prefixing the Kerberos token with the appropriate bytes, if you weren't going to do any proper SPNEGO handling. There's no need for the FBOpenSSL library at all. The sane way to do SPNEGO is just to *ask* the GSSAPI library to do SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context() is for. And then it should all Just Work™. That 'sane way' will be added in a subsequent patch, as will bug fixes for our failure to handle any exchange other than a single outbound token to the server which results in immediate success.
2014-05-07tool_help: Fixed missing --login-options optionSteve Holme
...and removed ;OPTIONS from --user as that functionality was removed in 7.34.0.
2014-02-26tool_getparam: Added initial support for --next/-:Steve Holme
Added initial support for --next/-: which will be used to replace the rather confusing : command line operation what was used for the URL specific options prototype.
2014-02-25tool_help: Moved --no-alpn and --no-npn to be listed alphabeticallySteve Holme
...and added the HTTP suffix as these options are only used for HTTP2 based connections.
2014-02-22tool_getparam: Moved version information into separate function in tool_helpSteve Holme
2014-02-22tool_operhlp: Consolidated engine output code into tool_helpSteve Holme
2014-02-22tool_operate: Moved list engines into separate function in tool_helpSteve Holme
2014-02-10NPN/ALPN: allow disabling via command lineFabian Frank
when using --http2 one can now selectively disable NPN or ALPN with --no-alpn and --no-npn. for now honored with NSS only. TODO: honor this option with GnuTLS and OpenSSL