1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-06 01:25:33 -05:00
Commit Graph

482 Commits

Author SHA1 Message Date
Alex Rousskov
cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00
Jay Satiro
7f439f1652 curl.1: Clarify --dump-header only writes received headers 2016-11-16 01:40:23 -05:00
Kamil Dudka
cfd69c1339 docs: the next release will be 7.52.0 2016-11-15 12:21:00 +01:00
Daniel Stenberg
f82bbe01c8 curl: add --fail-early
Exit with an error on the first transfer error instead of continuing to
do the rest of the URLs.

Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
2016-11-14 08:35:40 +01:00
Daniel Hwang
cdfda3ee82 curl: Add --retry-connrefused
to consider ECONNREFUSED as a transient error.

Closes #1064
2016-11-11 10:00:54 +01:00
Kamil Dudka
a110a03b43 curl: introduce the --tlsv1.3 option to force TLS 1.3
Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro
2016-11-07 12:07:11 +01:00
Daniel Stenberg
677d8b3fec curl.1: explain the SMTP data expected for -T
Fixes #1107

Reported-by: Adam Piggott
2016-11-07 08:33:02 +01:00
Daniel Stenberg
e5c49b9e69 curl.1: typo 2016-11-01 10:27:40 +01:00
Daniel Stenberg
b744950f43 curl.1: expand on how multiple uses of -o looks
Suggested-by: Dan Jacobson
Issue: https://github.com/curl/curl/issues/1097
2016-11-01 10:24:49 +01:00
Daniel Stenberg
7ea1469468 curl.1: --trace supports % for sending to stderr! 2016-09-30 17:17:48 +02:00
Jay Satiro
36e53ec6ff docs: Remove that --proto is just used for initial retrieval
.. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
override protocols denied by --proto and CURLOPT_PROTOCOLS.

- Add a test to enforce: --proto deny must override --proto-redir allow

Closes https://github.com/curl/curl/pull/1031
2016-09-21 17:23:24 -04:00
Jay Satiro
af2d679e14 errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
more of a generic "failed to parse" introduce an alias without FTP in
the name.

Closes https://github.com/curl/curl/pull/975
2016-09-07 21:24:27 -04:00
Olivier Brunel
4b86113f5e speed caps: not based on average speeds anymore
Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
with the cumulative average speed of the entire transfer; While this
might work at times with good/constant connections, in other cases it
can result to the limits simply being "ignored" for more than "short
bursts" (as told in man page).

Consider a download that goes on much slower than the limit for some
time (because bandwidth is used elsewhere, server is slow, whatever the
reason), then once things get better, curl would simply ignore the limit
up until the average speed (since the beginning of the transfer) reached
the limit.  This could prove the limit useless to effectively avoid
using the entire bandwidth (at least for quite some time).

So instead, we now use a "moving starting point" as reference, and every
time at least as much as the limit as been transferred, we can reset
this starting point to the current position. This gets a good limiting
effect that applies to the "current speed" with instant reactivity (in
case of sudden speed burst).

Closes #971
2016-09-04 13:11:23 +02:00
Nick Zitzmann
e171968ba3 darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
2016-08-28 16:46:59 -05:00
Daniel Stenberg
046c2c85c4 curl.1: the used progress meter suffix is k in lower case
Closes #883
2016-06-22 00:37:36 +02:00
Daniel Stenberg
2668d8df9a curl.1: missed 'T' in the progress unit suffixes 2016-06-17 10:40:44 +02:00
Daniel Stenberg
c9a6ab6d92 curl.1: mention the unix for the progress meter 2016-06-17 00:33:33 +02:00
Frank Gevaerts
071c561394 http: add CURLINFO_HTTP_VERSION and %{http_version}
Adds access to the effectively used http version to both libcurl and
curl.

Closes #799
2016-05-30 22:58:51 +02:00
Daniel Stenberg
ab5a68937b docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE 2016-05-17 13:17:07 +02:00
Daniel Stenberg
22aa34f745 curl.1: --mail-rcpt can be used multiple times
Reported-by: mgendre
Closes #784
2016-04-30 00:15:44 +02:00
Daniel Stenberg
394d7917b7 curl.1: document the deprecated --ftp-ssl option 2016-04-29 00:31:37 +02:00
Daniel Stenberg
59a09055af curl.1: document --ntlm-wb 2016-04-29 00:31:37 +02:00
Daniel Stenberg
51d62a6b66 curl.1: document the long format of -q: --disable 2016-04-29 00:31:37 +02:00
Daniel Stenberg
12622f3899 curl.1: mention the deprecated --krb4 option 2016-04-29 00:31:37 +02:00
Daniel Stenberg
d848be14b2 curl.1: document --ftp-ssl-reqd
Even if deprecated, document it so that people will find it as old
scripts may still use it.
2016-04-29 00:31:37 +02:00
33623d7196 PolarSSL: Implement public key pinning 2016-04-24 12:27:39 +02:00
Alessandro Ghedini
d49087f6bc tool: add --tcp-fastopen option 2016-04-18 23:17:19 +02:00
Michael Kaufmann
cd8d236245 news: CURLOPT_CONNECT_TO and --connect-to
Makes curl connect to the given host+port instead of the host+port found
in the URL.
2016-04-17 23:50:59 +02:00
Daniel Stenberg
5cfa268faa curl.1: use example.com more
Make (most) example snippets use the example.com domain instead of the
random ones picked and used before. Some of those were probably
legitimate sites and some not. example.com is designed for this purpose.
2016-04-06 14:41:38 +02:00
Theodore Dubois
f07cc91108 curl.1: change example for -F
It's a bad idea to send your passwords anywhere, especially over HTTP.
Modified example to send a picture instead.

Fixes #752
2016-04-06 10:26:52 +02:00
Daniel Stenberg
e238253d06 curl.1: -w filename_effective was introduced in 7.26.0
We never made a 7.25.1 release
2016-04-02 17:59:25 +02:00
Daniel Stenberg
213d3c7b0c http2: more documentation for prior knowledge 2016-03-31 22:23:15 +02:00
Diego Bes
324a97ecf8 http2: support "prior knowledge", no upgrade from HTTP/1.1
Supports HTTP/2 over clear TCP

- Optimize switching to HTTP/2 by removing calls to init and setup
before switching. Switching will eventually call setup and setup calls
init.

- Supports new version to “force” the use of HTTP/2 over clean TCP

- Add common line parameter “--http2-prior-knowledge” to the Curl
  command line tool.
2016-03-31 22:23:11 +02:00
Jay Satiro
186546f1c5 TFTP: add option to suppress TFTP option requests (Part 2)
- Add tests.

- Add an example to CURLOPT_TFTP_NO_OPTIONS.3.

- Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:01:07 -05:00
Jay Satiro
a11c5f329f curl.1: HTTP headers for --cookie must be Set-Cookie style
Bug: https://github.com/curl/curl/issues/666
Reported-by: baumanj@users.noreply.github.com
2016-02-18 19:01:19 -05:00
Daniel Stenberg
be2db60650 curl.1: add a missing dash 2016-02-18 15:32:00 +01:00
Kamil Dudka
4ef6b2d6c6 curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
pages since curl-7_12_3~131.  This patch makes it clear in the curl.1
man page, too.

Bug: https://bugzilla.redhat.com/1305970
2016-02-12 18:47:17 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
6b485c7407 HTTPS: update a bunch of URLs from HTTP to HTTPS 2016-02-02 00:24:30 +01:00
Jay Satiro
96596334c8 curl.1: Explain remote-name behavior if file already exists
.. also warn about letting the server pick the filename.
2016-01-29 03:28:48 -05:00
Daniel Stenberg
b4a39491ca curl --expect100-timeout: added
This is the new command line option to set the value for the existing
libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
2015-12-15 13:59:56 +01:00
Daniel Stenberg
748ffc77c6 curl.1: remove the overlap --range example
... it is just weird to include by default even if it still works.
2015-11-06 15:03:00 +01:00
Daniel Stenberg
9b87078d55 curl.1: -E: s/private certificate/client certificate
... as the certificate is strictly speaking not private.

Reported-by: John Levon
2015-10-28 13:17:54 +01:00
Daniel Stenberg
b1fc8c0e97 curl.1: --ignore-content-length now works for FTP too 2015-10-23 15:24:31 +02:00
Daniel Stenberg
4ceddcf8ca curl.1: update RFC references 2015-09-03 19:52:23 +02:00
Jay Satiro
cb6a07fed0 docs: Warn about any-domain cookies and multiple transfers
- Warn that cookies without a domain are sent to any domain:
CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie

- Note that imported Set-Cookie cookies without a domain are no longer
exported:
CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
2015-09-03 02:35:11 -04:00
Nathaniel Waisbrot
9756d1da76 CURLOPT_DEFAULT_PROTOCOL: added
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
protocol for schemeless URLs.

- Add new tool option --proto-default to expose
CURLOPT_DEFAULT_PROTOCOL.

In the case of schemeless URLs libcurl will behave in this way:

When the option is used libcurl will use the supplied default.

When the option is not used, libcurl will follow its usual plan of
guessing from the hostname and falling back to 'http'.
2015-08-22 21:57:14 -04:00
Jay Satiro
1f1f131e09 docs: Update the redirect protocols disabled by default
- Clarify that FILE and SCP are disabled by default since 7.19.4
- Add that SMB and SMBS are disabled by default since 7.40.0
- Add CURLPROTO_SMBS to the list of protocols
2015-08-18 01:38:07 -04:00
Daniel Kahn Gillmor
31673ff517 curl.1: Document weaknesses in SSLv2 and SSLv3
Acknowledge that SSLv3 is also widely considered to be insecure.

Also, provide references for people who want to know more about why it's
insecure.
2015-08-15 22:53:46 +02:00
Alessandro Ghedini
5be0c88297 docs: fix typos
closes #376
2015-08-12 11:29:55 +02:00