... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.
Closes#6773
Instead output a warning about it and continue with the defaults.
These SSL versions are typically not supported by the TLS libraries since a
long time back already since they are inherently insecure and broken. Asking
for them to be used will just cause an error to be returned slightly later.
In the unlikely event that a user's TLS library actually still supports these
protocol versions, this change might make the request a little less insecure.
Closes#6772
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.
We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.
Reviewed-by: Jacob Hoffman-Andrews
Closes#6894
Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
the cookiejar from memory.
Reported-by: Stefan Karpinski
Fixes#6889Closes#6891
If event_del is called with the event struct (still) zeroed out, a
segmentation fault may occur. event_initialized checks whether the
event struct is nonzero.
Closes#6876
According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security in an NTLM authentication message and NTLM version 2
cannot be negotiated within the protocol.
The solution implemented here is: if the extended security flag is set,
prefer using NTLM version 2 (as a server featuring extended security
should also support version 2). If version 2 has been disabled at
compile time, use extended security.
Tests involving NTLM are adjusted to this new behavior.
Fixes#6813Closes#6849
In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
used in the configure test body and since it is no longer defined,
<time.h> is *not* included on systems that have <sys/time.h>.
In particular, at least on musl libc and glibc, <sys/time.h> does
not implicitly include <time.h> and does not declare clock_gettime,
gmtime_r, or localtime_r. This causes configure to fail to detect
those functions.
The AC_HEADER_TIME macro deprecation text says
> All current systems provide time.h; it need not be checked for.
> Not all systems provide sys/time.h, but those that do, all allow
> you to include it and time.h simultaneously.
So, to fix this issue, simply include <time.h> unconditionally when
testing for time-related functions and in libcurl, and don't bother
checking for it.
Closes#6859
This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
which was removed in 2682e5f5. The deprecation text says
> Your code may safely assume C89 semantics that RETSIGTYPE is void.
So, remove it and just use void instead.
Closes#6861
In ngtcp2 the `with-gnutls` option is disabled by default, which will
cause `curl` unable to be `make` because of lacking the libraries
needed.
Closes#6857
Make sure the total amount of DL/UL bytes are counted before the
transfer finalizes. Otherwise if a transfer finishes too quick, its
total numbers are not added, and results in a DL%/UL% that goes above
100%.
Detail:
progress_meter() is called periodically, and it may not catch a
transfer's total bytes if the value was unknown during the last call,
and the transfer is finished and deleted (i.e., lost) during the next
call.
Closes https://github.com/curl/curl/pull/6840
This removes the last occurrence of PATH_MAX inside our libssh
implementation by calculating the path length from the string length of
the two components.
Closes#6829
instead of 13, before the server has told how many streams it
accepts. The server can always reject new streams anyway if we go above
what it accepts.
Ref: #6826Closes#6852
After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
expected_size for directories. This has the upshot that when we compare
even an empty Range with the available size, we fail.
This brings back the previous behaviour, which was to succeed, but with
empty content. This also removes the "Accept-ranges: bytes" header,
which is nonsensical on directories.
Adds test 3016
Fixes#6845Closes#6846
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...
Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes#6825Closes#6827
- Define Curl_resolver_error function only when USE_CURL_ASYNC.
Prior to this change building curl without an asynchronous resolver
backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
also asynchronous but independent of resolver backend) would cause a
build error since Curl_resolver_error is called by and evaluates
variables only available in asynchronous builds.
Reported-by: Benbuck Nason
Fixes https://github.com/curl/curl/issues/6831
Closes https://github.com/curl/curl/pull/6832
Avoid enabling NTLM feature based upon Windows SSPI
being enabled in case that crypto auth is disabled.
Reported-by: Marcel Raad
Follow-up to #6277Fixes#6803Closes#6808