Age | Commit message (Collapse) | Author |
|
When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
the user explaining possible solutions such as --cacert and --insecure.
This change appends to that message similar options --proxy-cacert and
--proxy-insecure when there's a specified HTTPS proxy.
Closes https://github.com/curl/curl/issues/1258
|
|
|
|
- s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
Follow-up to 7907a2b and 845522c.
- Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
- Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
Bug: https://github.com/curl/curl/issues/1237
Reported-by: jonrumsey@users.noreply.github.com
|
|
The winbuild/ build files is now the single MSVC makefile build choice.
Closes #1215
|
|
|
|
Closes https://github.com/curl/curl/pull/1217
|
|
In addition to unix domain sockets, Linux also supports an
abstract namespace which is independent of the filesystem.
In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
internally, along with a flag to specify abstract socket.
On non-supporting platforms, the abstract address will be
interpreted as an empty string and fail gracefully.
Also add new --abstract-unix-socket tool parameter.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reported-by: Chungtsun Li (typeless)
Reviewed-by: Daniel Stenberg
Reviewed-by: Peter Wu
Closes #1197
Fixes #1061
|
|
So that only "global" options (verbose mostly) survive into the next
transfer, and the others have to be set again unless default is fine.
|
|
- Use Windows API SetFileTime to set the file time instead of utime.
Avoid utime on Windows if possible because it may apply a daylight
saving time offset to our UTC file time.
Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
Reported-by: Tim
Closes https://github.com/curl/curl/pull/1121
|
|
The <netinet/tcp.h> is a leftover from the past when TCP socket options
were set in this file. This include causes build issues on AIX 4.3.
Reported-by: Kim Minjoong
Closes #1178
|
|
|
|
|
|
CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
Added the corresponding --preroxy command line option. Sets a SOCKS
proxy to connect to _before_ connecting to a HTTP(S) proxy.
|
|
... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
asked for specially. (Needs new code.)
Unified proxy type to a single variable in the config struct.
|
|
This was added as part of the SOCKS+HTTPS proxy merge but there's no
need to support this as we prefer to have the protocol specified as a
prefix instead.
|
|
... they're already frowned upon in our source code style guide, this
now enforces the rule harder.
|
|
In order to make the code style more uniform everywhere
|
|
... like 'user-agent = ""'
Adjusted test 71 to verify.
|
|
There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
proxy. Those protocols are insecure by design and deprecated.
|
|
Closes #1142
|
|
Prior to this change we depended on errno if strtol could not perform a
conversion. POSIX says EINVAL *may* be set. Some implementations like
Microsoft's will not set it if there's no conversion.
Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
|
|
Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
|
|
Adds access to the effectively used protocol/scheme to both libcurl and
curl, both in string and numeric (CURLPROTO_*) form.
Note that the string form will be uppercase, as it is just the internal
string.
As these strings are declared internally as const, and all other strings
returned by curl_easy_getinfo() are de-facto const as well, string
handling in getinfo.c got const-ified.
Closes #1137
|
|
|
|
|
|
* HTTPS proxies:
An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.
With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.
A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):
--proxy-cacert FILE CA certificate to verify peer against
--proxy-capath DIR CA directory to verify peer against
--proxy-cert CERT[:PASSWD] Client certificate file and password
--proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
--proxy-ciphers LIST SSL ciphers to use
--proxy-crlfile FILE Get a CRL list in PEM format from the file
--proxy-insecure Allow connections to proxies with bad certs
--proxy-key KEY Private key file name
--proxy-key-type TYPE Private key file type (DER/PEM/ENG)
--proxy-pass PASS Pass phrase for the private key
--proxy-ssl-allow-beast Allow security flaw to improve interop
--proxy-sslv2 Use SSLv2
--proxy-sslv3 Use SSLv3
--proxy-tlsv1 Use TLSv1
--proxy-tlsuser USER TLS username
--proxy-tlspassword STRING TLS password
--proxy-tlsauthtype STRING TLS authentication type (default SRP)
All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.
Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.
Supported backends: OpenSSL, GnuTLS, and NSS.
* A SOCKS proxy + HTTP/HTTPS proxy combination:
If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.
TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
|
|
|
|
Fixes test 1139 failures
Follow-up to f82bbe01c8835
|
|
Brought in ee4f76606cf
Added test case 1280 to verify
Reported-by: Dave Reisner
Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
|
|
Exit with an error on the first transfer error instead of continuing to
do the rest of the URLs.
Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
|
|
to consider ECONNREFUSED as a transient error.
Closes #1064
|
|
Fully implemented with the NSS backend only for now.
Reviewed-by: Ray Satiro
|
|
We're mostly saying just "curl" in lower case these days so here's a big
cleanup to adapt to this reality. A few instances are left as the
project could still formally be considered called cURL.
|
|
Now showing microsecond resolution.
Closes #1106
|
|
... and now it avoids using the libcurl toupper() function
|
|
As they are after all part of the public API. Saves space and reduces
complexity. Remove the strcase defines from the curlx_ family.
Suggested-by: Dan Fandrich
Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
|
|
Follow-up to 811a693b
|
|
These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and ABI we need
to keep them around.
|
|
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
|
|
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
|
|
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
|
|
|
|
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
|
|
The tool was never called cURL, only the project. But even so, we have
more and more over time switched to just use lower case.
|
|
As otherwise the callback could be called with a NULL pointer when RTSP
data is provided.
|
|
There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
OpenSSL. Just don't get involved; there's no need to be making the
engine methods the default anyway.
https://github.com/OpenSC/libp11/pull/108
https://github.com/openssl/openssl/pull/1639
Merges #1042
|
|
Reported-by: Ryan Scott
Fixes #1007
|
|
|
|
|
|
RFC7512 provides a standard method to reference certificates in PKCS#11
tokens, by means of a URI starting 'pkcs11:'.
We're working on fixing various applications so that whenever they would
have been able to use certificates from a file, users can simply insert
a PKCS#11 URI instead and expect it to work. This expectation is now a
part of the Fedora packaging guidelines, for example.
This doesn't work with cURL because of the way that the colon is used
to separate the certificate argument from the passphrase. So instead of
curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
I instead need to invoke cURL with the colon escaped, like this:
curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
This is suboptimal because we want *consistency* — the URI should be
usable in place of a filename anywhere, without having strange
differences for different applications.
This patch therefore disables the processing in parse_cert_parameter()
when the string starts with 'pkcs11:'. It means you can't pass a
passphrase with an unescaped PKCS#11 URI, but there's no need to do so
because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
the URI itself.
Also, if users are already using RFC7512 URIs with the colon escaped as
in the above example — even providing a passphrase for cURL to handling
instead of using a pin-value attribute, that will continue to work
because their string will start 'pkcs11\:' and won't match the check.
What *does* break with this patch is the extremely unlikely case that a
user has a file which is in the local directory and literally named
just "pkcs11", and they have a passphrase on it. If that ever happened,
the user would need to refer to it as './pkcs11:<passphrase>' instead.
|