This avoids a TCP reset (RST) if the server initiates a connection
shutdown by sending an SSL close notify alert and then closes the TCP
connection.
For SSL connections, usually the server announces that it will close the
connection with an SSL close notify alert. curl should read this alert.
If curl does not read this alert and just closes the connection, some
operating systems close the TCP connection with an RST flag.
See RFC 1122, section 4.2.2.13
If curl reads the close notify alert, the TCP connection is closed
normally with a FIN flag.
The new code is similar to existing code in the "SSL shutdown" function:
try to read an alert (non-blocking), and ignore any read errors.
Closes#7095
This function might get called for an easy handle for which the session
cache hasn't been setup. It now just returns a "miss" in that case.
Reported-by: Christoph M. Becker
Fixes#7148Closes#7153
In a3268eca79 this code was changed to use the ALPN_H2 constant
instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
not the same. The nghttp2 constant included the length of the string,
like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
to re-add the length of the string to the ALPN buffer.
Closes#7138
When the SecCertificateCopyCommonName function fails, it leaves
common_name in a invalid state so CFStringCompare uses the invalid
result, causing EXC_BAD_ACCESS.
The fix is to check the return value of the function before using the
name.
Closes#7126
As of commit 54e7475, these flags would only be set when using a new
credential handle. When re-using an existing credential handle, the
flags would not be set.
Closes https://github.com/curl/curl/pull/7051
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!
As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614fb02).
Reported-by: Daniel Carpenter
Fixes#6998Closes#7000
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT
Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
Closes#6721
Removed localfd and remotefd from ssl_backend_data (ued only with proxy
connection). Function pipe_ssloverssl return always 0, when proxy is not
used.
Closes#6981
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.
Closes#6959
- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.
- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
to automatically locate and use a client certificate for
authentication, when requested by the server.
- New curl tool options --ssl-auto-client-cert and
--proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.
Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn
Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard
Closes https://github.com/curl/curl/pull/6673
Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
back-end. Similar to NSS and GSKit back-ends, new code parses string
value and configures ST library to use those ciphers for communication.
Create cipher spec data structure and initialize the array of specs with
cipher number, name, alias, and 'weak' flag.
Mark triple-DES ciphers as 'weak', and exclude them from the default
ciphers list.
Closes#6464
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.
Closes#6773
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.
We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.
Reviewed-by: Jacob Hoffman-Andrews
Closes#6894
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...
Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes#6825Closes#6827
Otherwise, the transfer will be NULL in the trace function when the
early handshake details arrive and then curl won't show them.
Regresssion in 7.75.0
Reported-by: David Hu
Fixes#6783Closes#6792
If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection earlier, when we got a close_notify).
Closes#6763
Previously, rustls was using an on-stack array for TLS data. However,
crustls has an (unusual) requirement that buffers it deals with are
initialized before writing to them. By using calloc, we can ensure the
buffer is initialized once and then reuse it across calls.
Closes#6742
This requires the latest main branch of crustls, which provides
rustls_client_config_builder_dangerous_set_certificate_verifier and
rustls_client_config_builder_set_enable_sni.
This refactors the session setup into its own function, and adds a new
function cr_hostname_is_ip. Because crustls doesn't support verification
of IP addresses, special handling is needed: We disable SNI and set a
placeholder hostname (which never actually gets sent on the wire).
Closes#6719
- Change use of those options from CURLOPT_SSL_OPTIONS that are not
already evaluated via SSL_SET_OPTION in schannel and secure transport
to use that instead of data->set.ssl.optname.
Example:
Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
This change is because options set via CURLOPT_SSL_OPTIONS
(data->set.ssl.optname) are separate from those set for HTTPS proxy via
CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
SSL_SET_OPTION macro determines whether the connection is for HTTPS
proxy and based on that which option to evaluate.
Since neither Schannel nor Secure Transport backends currently support
HTTPS proxy in libcurl, this change is for posterity and has no other
effect.
Closes https://github.com/curl/curl/pull/6690