From 4dcd25e138e9c18a4c96cb78bca5749d8431699f Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Sat, 14 Feb 2015 16:57:07 +0100 Subject: url: add CURLOPT_SSL_FALSESTART option This option can be used to enable/disable TLS False Start defined in the RFC draft-bmoeller-tls-falsestart. --- docs/libcurl/curl_easy_setopt.3 | 2 ++ docs/libcurl/opts/CURLOPT_SSL_FALSESTART.3 | 48 ++++++++++++++++++++++++++++++ docs/libcurl/opts/Makefile.am | 11 +++---- docs/libcurl/symbols-in-versions | 1 + include/curl/curl.h | 3 ++ lib/url.c | 11 +++++++ lib/urldata.h | 1 + lib/vtls/vtls.c | 12 ++++++++ lib/vtls/vtls.h | 3 ++ 9 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 docs/libcurl/opts/CURLOPT_SSL_FALSESTART.3 diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 4b6b3f109..0b44fac50 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -436,6 +436,8 @@ Enable use of NPN. See \fICURLOPT_SSL_ENABLE_NPN(3)\fP Use identifier with SSL engine. See \fICURLOPT_SSLENGINE(3)\fP .IP CURLOPT_SSLENGINE_DEFAULT Default SSL engine. See \fICURLOPT_SSLENGINE_DEFAULT(3)\fP +.IP CURLOPT_SSL_FALSESTART +Enable TLS False Start. See \fICURLOPT_SSL_FALSESTART(3)\fP .IP CURLOPT_SSLVERSION SSL version to use. See \fICURLOPT_SSLVERSION(3)\fP .IP CURLOPT_SSL_VERIFYHOST diff --git a/docs/libcurl/opts/CURLOPT_SSL_FALSESTART.3 b/docs/libcurl/opts/CURLOPT_SSL_FALSESTART.3 new file mode 100644 index 000000000..7d88fc4c6 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_SSL_FALSESTART.3 @@ -0,0 +1,48 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at http://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_SSL_FALSESTART 3 "14 Feb 2015" "libcurl 7.41.0" "curl_easy_setopt options" +.SH NAME +CURLOPT_SSL_FALSESTART \- enable TLS false start +.SH SYNOPSIS +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_FALSESTART, long enable); +.SH DESCRIPTION +Pass a long as parameter set to 1 to enable or 0 to disable. + +This option determines whether libcurl should use false start during the TLS +handshake. False start is a mode where a TLS client will start sending +application data before verifying the server's Finished message, thus saving a +round trip when performing a full handshake. +.SH DEFAULT +0 +.SH PROTOCOLS +All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. +.SH EXAMPLE +TODO +.SH AVAILABILITY +Added in 7.42.0. This option is currently only supported by the NSS TLS +backend. +.SH RETURN VALUE +Returns CURLE_OK if false start is supported by the SSL backend, otherwise +returns CURLE_NOT_BUILT_IN. diff --git a/docs/libcurl/opts/Makefile.am b/docs/libcurl/opts/Makefile.am index 5a94f11bb..3e95693a1 100644 --- a/docs/libcurl/opts/Makefile.am +++ b/docs/libcurl/opts/Makefile.am @@ -90,7 +90,8 @@ man_MANS = CURLOPT_ACCEPT_ENCODING.3 CURLOPT_ACCEPTTIMEOUT_MS.3 \ CURLOPT_SSLCERT.3 CURLOPT_SSLCERTTYPE.3 CURLOPT_SSL_CIPHER_LIST.3 \ CURLOPT_SSL_CTX_DATA.3 CURLOPT_SSL_CTX_FUNCTION.3 \ CURLOPT_SSL_ENABLE_ALPN.3 CURLOPT_SSL_ENABLE_NPN.3 CURLOPT_SSLENGINE.3 \ - CURLOPT_SSLENGINE_DEFAULT.3 CURLOPT_SSLKEY.3 CURLOPT_SSLKEYTYPE.3 \ + CURLOPT_SSLENGINE_DEFAULT.3 CURLOPT_SSL_FALSESTART.3 \ + CURLOPT_SSLKEY.3 CURLOPT_SSLKEYTYPE.3 \ CURLOPT_SSL_OPTIONS.3 CURLOPT_SSL_SESSIONID_CACHE.3 \ CURLOPT_SSL_VERIFYHOST.3 CURLOPT_SSL_VERIFYPEER.3 \ CURLOPT_SSL_VERIFYSTATUS.3 CURLOPT_SSLVERSION.3 CURLOPT_STDERR.3 \ @@ -193,8 +194,8 @@ HTMLPAGES = CURLOPT_ACCEPT_ENCODING.html CURLOPT_ACCEPTTIMEOUT_MS.html \ CURLOPT_SSL_CIPHER_LIST.html CURLOPT_SSL_CTX_DATA.html \ CURLOPT_SSL_CTX_FUNCTION.html CURLOPT_SSL_ENABLE_ALPN.html \ CURLOPT_SSL_ENABLE_NPN.html CURLOPT_SSLENGINE.html \ - CURLOPT_SSLENGINE_DEFAULT.html CURLOPT_SSLKEY.html \ - CURLOPT_SSLKEYTYPE.html CURLOPT_SSL_OPTIONS.html \ + CURLOPT_SSLENGINE_DEFAULT.html CURLOPT_SSL_FALSESTART.html \ + CURLOPT_SSLKEY.html CURLOPT_SSLKEYTYPE.html CURLOPT_SSL_OPTIONS.html \ CURLOPT_SSL_SESSIONID_CACHE.html CURLOPT_SSL_VERIFYHOST.html \ CURLOPT_SSL_VERIFYPEER.html CURLOPT_SSL_VERIFYSTATUS.html \ CURLOPT_SSLVERSION.html CURLOPT_STDERR.html CURLOPT_TCP_KEEPALIVE.html \ @@ -296,8 +297,8 @@ PDFPAGES = CURLOPT_ACCEPT_ENCODING.pdf CURLOPT_ACCEPTTIMEOUT_MS.pdf \ CURLOPT_SSL_CIPHER_LIST.pdf CURLOPT_SSL_CTX_DATA.pdf \ CURLOPT_SSL_CTX_FUNCTION.pdf CURLOPT_SSL_ENABLE_ALPN.pdf \ CURLOPT_SSL_ENABLE_NPN.pdf CURLOPT_SSLENGINE.pdf \ - CURLOPT_SSLENGINE_DEFAULT.pdf CURLOPT_SSLKEY.pdf \ - CURLOPT_SSLKEYTYPE.pdf CURLOPT_SSL_OPTIONS.pdf \ + CURLOPT_SSLENGINE_DEFAULT.pdf CURLOPT_SSL_FALSESTART.pdf \ + CURLOPT_SSLKEY.pdf CURLOPT_SSLKEYTYPE.pdf CURLOPT_SSL_OPTIONS.pdf \ CURLOPT_SSL_SESSIONID_CACHE.pdf CURLOPT_SSL_VERIFYHOST.pdf \ CURLOPT_SSL_VERIFYPEER.pdf CURLOPT_SSL_VERIFYSTATUS.pdf \ CURLOPT_SSLVERSION.pdf CURLOPT_STDERR.pdf CURLOPT_TCP_KEEPALIVE.pdf \ diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index e9ef3f61c..1fe396897 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -510,6 +510,7 @@ CURLOPT_SSL_CTX_DATA 7.10.6 CURLOPT_SSL_CTX_FUNCTION 7.10.6 CURLOPT_SSL_ENABLE_ALPN 7.36.0 CURLOPT_SSL_ENABLE_NPN 7.36.0 +CURLOPT_SSL_FALSESTART 7.42.0 CURLOPT_SSL_OPTIONS 7.25.0 CURLOPT_SSL_SESSIONID_CACHE 7.16.0 CURLOPT_SSL_VERIFYHOST 7.8.1 diff --git a/include/curl/curl.h b/include/curl/curl.h index 0a326d3ba..4fcbd578b 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1626,6 +1626,9 @@ typedef enum { /* Set if we should verify the certificate status. */ CINIT(SSL_VERIFYSTATUS, LONG, 232), + /* Set if we should enable TLS false start. */ + CINIT(SSL_FALSESTART, LONG, 233), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/url.c b/lib/url.c index 3be6a4a3b..82faaf18a 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2027,6 +2027,17 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, result = CURLE_NOT_BUILT_IN; #endif break; + case CURLOPT_SSL_FALSESTART: + /* + * Enable TLS false start. + */ + if(!Curl_ssl_false_start()) { + result = CURLE_NOT_BUILT_IN; + break; + } + + data->set.ssl.falsestart = (0 != va_arg(param, long))?TRUE:FALSE; + break; case CURLOPT_CERTINFO: #ifdef have_curlssl_certinfo data->set.ssl.certinfo = (0 != va_arg(param, long))?TRUE:FALSE; diff --git a/lib/urldata.h b/lib/urldata.h index caa5debf1..01415b6ab 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -351,6 +351,7 @@ struct ssl_config_data { void *fsslctxp; /* parameter for call back */ bool sessionid; /* cache session IDs or not */ bool certinfo; /* gather lots of certificate info */ + bool falsestart; #ifdef USE_TLS_SRP char *username; /* TLS username (for, e.g., SRP) */ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 2230a0433..c551cca66 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -857,4 +857,16 @@ bool Curl_ssl_cert_status_request(void) #endif } +/* + * Check whether the SSL backend supports false start. + */ +bool Curl_ssl_false_start(void) +{ +#ifdef curlssl_false_start + return curlssl_false_start(); +#else + return FALSE; +#endif +} + #endif /* USE_SSL */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index bbaa8505f..1a5f54fe4 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -118,6 +118,8 @@ CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey, bool Curl_ssl_cert_status_request(void); +bool Curl_ssl_false_start(void); + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ #else @@ -145,6 +147,7 @@ bool Curl_ssl_cert_status_request(void); #define Curl_ssl_kill_session(x) Curl_nop_stmt #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) #define Curl_ssl_cert_status_request() FALSE +#define Curl_ssl_false_start() FALSE #endif #endif /* HEADER_CURL_VTLS_H */ -- cgit v1.2.3