1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 23:15:08 -05:00
Commit Graph

86 Commits

Author SHA1 Message Date
Daniel Stenberg
86bc654532 OpenSSL: conditional check for SSL3_RT_HEADER
The symbol is fairly new.

Reported-by: Kamil Dudka
2015-05-04 13:29:34 +02:00
Daniel Stenberg
690317aae2 openssl: skip trace outputs for ssl_ver == 0
The OpenSSL trace callback is wonderfully undocumented but given a
journey in the source code, it seems the cases were ssl_ver is zero
doesn't follow the same pattern and thus turned out confusing and
misleading. For now, we skip doing any CURLINFO_TEXT logging on those
but keep sending them as CURLINFO_SSL_DATA_OUT/IN.

Also, I added direction to the text info and I edited some functions
slightly.

Bug: https://github.com/bagder/curl/issues/219
Reported-by: Jay Satiro, Ashish Shukla
2015-05-04 12:27:59 +02:00
Daniel Stenberg
cae43a10cb Curl_ossl_init: load builtin modules
To have engine modules work, we must tell openssl to load builtin
modules first.

Bug: https://github.com/bagder/curl/pull/206
2015-04-26 17:26:31 +02:00
Daniel Stenberg
aff153f83a openssl: fix serial number output
The code extracting the cert serial number was broken and didn't display
it properly.

Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
2015-04-26 16:36:19 +02:00
byronhe
6088fbce06 openssl: add OPENSSL_NO_SSL3_METHOD check 2015-04-21 15:25:21 -04:00
Viktor Szakáts
3a87bdebd1 vtls/openssl: use https in URLs and a comment typo fixed 2015-04-19 19:52:37 +02:00
Matthew Hall
a471a9f3b6 vtls_openssl: improve PKCS#12 load failure error message 2015-04-13 22:25:04 +02:00
Matthew Hall
27ac643455 vtls_openssl: fix minor typo in PKCS#12 load routine 2015-04-13 22:25:04 +02:00
Matthew Hall
b3175a767d vtls_openssl: improve client certificate load failure error messages 2015-04-13 22:25:04 +02:00
Matthew Hall
58b0a8b059 vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant 2015-04-13 22:25:04 +02:00
Dan Fandrich
35648f2e79 curl_memory: make curl_memory.h the second-last header file loaded
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
2015-03-24 23:47:01 +01:00
Daniel Stenberg
ac2827ac09 openssl: do the OCSP work-around for libressl too
I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
still require the work-around for stapling to work.
2015-03-24 23:39:52 +01:00
Daniel Stenberg
bd9ac3cff2 openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
Reported-by: Alessandro Ghedini
2015-03-24 23:06:37 +01:00
Daniel Stenberg
7e6ca87a72 openssl: adapt to ASN1/X509 things gone opaque in 1.1 2015-03-24 22:59:33 +01:00
Alessandro Ghedini
8854f8d45a openssl: try to avoid accessing OCSP structs when possible 2015-03-20 15:36:05 +01:00
Daniel Stenberg
2dc1a5ce93 checksrc: detect and remove space before trailing semicolons 2015-03-17 14:06:48 +01:00
Daniel Stenberg
9395999543 checksrc: use space after comma 2015-03-17 13:57:37 +01:00
Daniel Stenberg
1d3f1a80d0 openssl: show the cipher selection to use 2015-03-12 15:53:45 +01:00
Daniel Stenberg
00ea0e7db0 http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
Since they already exist and will make comparing easier
2015-03-07 11:10:30 +01:00
Alessandro Ghedini
2e9494b15d openssl: make it possible to enable ALPN/NPN without HTTP2 2015-03-07 10:36:10 +01:00
Daniel Stenberg
709cf76f6b openssl: remove all uses of USE_SSLEAY
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
2015-03-05 10:57:52 +01:00
Daniel Stenberg
8aabbf5f8c vtls: use curl_printf.h all over
No need to use _MPRINTF_REPLACE internally.
2015-03-03 23:17:43 +01:00
Kamil Dudka
aba2c4dca2 openssl: fix a compile-time warning
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
2015-02-12 08:39:19 +01:00
Steve Holme
c1878e8f52 openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection
For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.
2015-02-11 21:03:23 +00:00
Steve Holme
d771b44e53 openssl: Disable OCSP in old versions of OpenSSL
Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
2015-02-09 21:01:39 +00:00
Daniel Stenberg
45b9b62de4 openssl: SSL_SESSION->ssl_version no longer exist
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!

Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
2015-02-05 11:57:33 +01:00
Steve Holme
e1bb13c09f openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
2015-01-27 12:53:41 +00:00
Steve Holme
a268a804b7 openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
Fixed the build of openssl.c when OpenSSL is built without the necessary
TLS extensions for OCSP stapling.

Reported-by: John E. Malmberg
2015-01-27 12:47:48 +00:00
Daniel Stenberg
23c6f0a344 OCSP stapling: disabled when build with BoringSSL 2015-01-22 23:34:43 +01:00
Alessandro Ghedini
d1cf5d5706 openssl: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066
section 8.

Thanks-to: Joe Mason
- for the work-around for the OpenSSL bug.
2015-01-22 23:25:23 +01:00
Daniel Stenberg
d6c4695dcd BoringSSL: no PKCS12 support nor ERR_remove_state 2015-01-22 16:39:01 +01:00
Leith Bade
261208d432 BoringSSL: fix build 2015-01-22 16:39:01 +01:00
Daniel Stenberg
be57f689b0 openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost
and verifypeer to FALSE and still check the public key.

Bug: http://curl.haxx.se/bug/view.cgi?id=1471
Reported-by: Kyle J. McKay
2015-01-19 23:20:13 +01:00
Steve Holme
037cd0d991 vtls: Fixed compilation warning and an ignored return code
curl_schannel.h:123: warning: right-hand operand of comma expression
                     has no effect

Some instances of the curlssl_close_all() function were declared with a
void return type whilst others as int. The schannel version returned
CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
return code was ignored by the calling function Curl_ssl_close_all().

For the time being and to keep the internal API consistent, changed all
declarations to use a void return type.

To reduce code we might want to consider removing the unimplemented
versions and use a void #define like schannel does.
2014-12-28 17:33:01 +00:00
Steve Holme
fe43a662a2 vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
The return type for this function was 0 on success and 1 on error. This
was then examined by the calling functions and, in most cases, used to
return CURLE_OUT_OF_MEMORY.

Instead use CURLcode for the return type and return the out of memory
error directly, propagating it up the call stack.
2014-12-26 13:11:40 +00:00
Steve Holme
6cb7b0c0ac vtls: Use bool for Curl_ssl_getsessionid() return type
The return type of this function is a boolean value, and even uses a
bool internally, so use bool in the function declaration as well as
the variables that store the return value, to avoid any confusion.
2014-12-25 17:15:15 +00:00
Steve Holme
2568928070 openssl: Prefer we don't use NULL in comparisons 2014-12-24 16:14:33 +00:00
Steve Holme
a4d9158509 openssl.c Fix for compilation errors with older versions of OpenSSL
openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
2014-12-23 00:16:07 +00:00
Daniel Stenberg
6dae798824 openssl: fix SSL/TLS versions in verbose output 2014-12-22 14:21:17 +01:00
Daniel Stenberg
577286e0e2 openssl: make it compile against openssl 1.1.0-DEV master branch 2014-12-22 14:21:17 +01:00
Daniel Stenberg
03e206d18a openssl: warn for SRP set if SSLv3 is used, not for TLS version
... as it requires TLS and it was was left to warn on the default from
when default was SSL...
2014-12-21 23:25:49 +01:00
Daniel Stenberg
680d5fd041 http2: avoid logging neg "failure" if h2 was not requested 2014-12-09 00:09:24 +01:00
Steve Holme
b04eef1318 openssl: Use 'CURLcode result'
More CURLcode fixes.
2014-11-02 00:14:07 +00:00
Steve Holme
f0b4bc12f8 openssl: Use 'CURLcode result'
More standardisation of CURLcode usage and coding style.
2014-11-01 17:16:42 +00:00
Steve Holme
14b4707d9a openssl: Use 'CURLcode result'
...and some minor code style changes.
2014-11-01 16:14:05 +00:00
Steve Holme
befbc8f56b code cleanup: Use 'CURLcode result' 2014-10-30 23:14:45 +00:00
Daniel Stenberg
697aa67d18 openssl: enable NPN separately from ALPN
... and allow building with nghttp2 but completely without NPN and ALPN,
as nghttp2 can still be used for plain-text HTTP.

Reported-by: Lucas Pardue
2014-10-29 22:42:46 +01:00
Kamil Dudka
07048941a4 openssl: fix a line length warning 2014-10-29 14:34:46 +01:00
Guenter Knauf
357a15a649 Fixed error message since we require ALPN support. 2014-10-29 01:37:18 +01:00
Guenter Knauf
e42e3a4fac Check for ALPN via OpenSSL version number.
This check works also with to non-configure platforms.
2014-10-29 00:59:38 +01:00