Jay Satiro
ec783dc142
SSL: Remove SSLv3 from SSL default due to POODLE attack
...
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
openssl effectively making the default TLS 1.x. axTLS is not affected
since it supports only TLS, and gnutls is not affected since it already
defaults to TLS 1.x.
- Update CURLOPT_SSLVERSION doc
2014-10-24 13:41:56 +02:00
Kamil Dudka
0aecdf6828
nss: reset SSL handshake state machine
...
... when the handshake succeeds
This fixes a connection failure when FTPS handle is reused.
2014-10-20 18:55:51 +02:00
Kamil Dudka
9e37a7f9a5
nss: do not fail if a CRL is already cached
...
This fixes a copy-paste mistake from commit 2968f957
.
2014-10-08 17:31:04 +02:00
Daniel Stenberg
8dfd22089c
vtls: make the random function mandatory in the TLS backend
...
To force each backend implementation to really attempt to provide proper
random. If a proper random function is missing, then we can explicitly
make use of the default one we use when TLS support is missing.
This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-30 00:05:47 +02:00
Kamil Dudka
30b093f6fc
nss: do not check the version of NSS at run time
...
The minimal required version of NSS is 3.14.x so it does not make sense
to check for NSS 3.12.0+ at run time.
2014-07-28 16:27:04 +02:00
Kamil Dudka
ca2aa61b66
nss: make the list of CRL items global
...
Otherwise NSS could use an already freed item for another connection.
2014-07-04 13:15:03 +02:00
Kamil Dudka
52cd5ac21c
nss: fix a memory leak when CURLOPT_CRLFILE is used
2014-07-04 08:25:05 +02:00
Kamil Dudka
caa4db8a51
nss: make crl_der allocated on heap
...
... and spell it as crl_der instead of crlDER
2014-07-04 00:37:40 +02:00
Kamil Dudka
2968f957aa
nss: let nss_{cache,load}_crl return CURLcode
2014-07-04 00:20:59 +02:00
Kamil Dudka
7581dee10a
nss: make the fallback to SSLv3 work again
...
This feature was unintentionally disabled by commit ff92fcfb
.
2014-07-02 18:11:05 +02:00
Kamil Dudka
7c21558503
nss: do not abort on connection failure
...
... due to calling SSL_VersionRangeGet() with NULL file descriptor
reported-by: upstream tests 305 and 404
2014-07-02 17:59:03 +02:00
Kamil Dudka
9c941e92c4
nss: propagate blocking direction from NSPR I/O
...
... during the non-blocking SSL handshake
2014-04-25 15:08:12 +02:00
Kamil Dudka
8868a226cd
nss: implement non-blocking SSL handshake
2014-04-22 22:56:14 +02:00
Kamil Dudka
a43bba3a34
nss: split Curl_nss_connect() into 4 functions
2014-04-22 22:56:14 +02:00
Daniel Stenberg
ef813c7097
http2: remove _DRAFT09 from the NPN_HTTP2 enum
...
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
2014-03-31 08:40:24 +02:00
Kamil Dudka
67061e3f4e
nss: allow to enable/disable new AES GCM cipher-suites
...
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
Kamil Dudka
c864d81289
nss: allow to enable/disable new HMAC-SHA256 cipher-suites
...
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
Kamil Dudka
b4f6cd46eb
nss: do not enable AES cipher-suites by default
...
... but allow them to be enabled/disabled explicitly. The default
policy should be maintained at the NSS level.
2014-03-15 13:07:55 +01:00
Daniel Stenberg
6f416fa462
NSS: avoid compiler warnings when built without http2 support
2014-03-03 08:39:25 +01:00
Fabian Frank
909a68c121
NPN/ALPN: allow disabling via command line
...
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.
TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
Fabian Frank
70bd9784de
nss: use correct preprocessor macro
...
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
preprocessor macro.
2014-02-10 08:09:02 +01:00
Daniel Stenberg
09d907ee68
nss: support pre-ALPN versions
2014-02-07 15:38:45 +01:00
Fabian Frank
f3a12460ad
nss: ALPN and NPN support
...
Add ALPN and NPN support for NSS. This allows cURL to negotiate
HTTP/2.0 connections when built with NSS.
2014-02-07 15:35:23 +01:00
Steve Holme
265f2e9ed7
nss: Updated copyright year for recent edits
2014-02-06 22:32:56 +00:00
Fabian Frank
ff92fcfb90
nss: prefer highest available TLS version
...
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3
if --tlsv1[.N] was not specified on the command line.
2014-02-06 23:09:56 +01:00
Kamil Dudka
665c160f0a
nss: do not use the NSS_ENABLE_ECC define
...
It is not provided by NSS public headers.
Bug: https://bugzilla.redhat.com/1058776
2014-01-29 13:57:21 +01:00
Kamil Dudka
e15e73b741
nss: do not fail if NSS does not implement a cipher
...
... that the user does not ask for
2014-01-29 13:46:17 +01:00
Steve Holme
f88f9bed00
vtls: Updated comments referencing sslgen.c and ssluse.c
2013-12-26 21:42:22 +00:00
Steve Holme
9aa6e4357a
vtls: Fixed up include of vtls.h
2013-12-26 21:25:51 +00:00
Daniel Stenberg
a47c142a88
vtls: moved all TLS/SSL source and header files into subdir
2013-12-20 17:12:42 +01:00