moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 19:45:04 -05:00
Code Issues Releases Wiki Activity
17,859 Commits 10 Branches 144 Tags 113 MiB
84bd19ffd4
Commit Graph

63 Commits

Author SHA1 Message Date
Steve Holme
678239df54 darwinssl: Updated copyright following recent changes 2014-05-15 18:38:42 +01:00
Nick Zitzmann
69cdc95932 darwinssl: fix potential crash when attempting to copy an identity 
from a P12 file

This could've happened if SecPKCS12Import() returned noErr _and_ no
identity.
 2014-05-14 17:48:14 -05:00
Daniel Stenberg
52d16c84d2 openssl: unbreak PKCS12 support 
Regression introduced in ce362e8eb9 (7.31.0)

Bug: http://curl.haxx.se/bug/view.cgi?id=1371
Reported-by: Dmitry
 2014-05-12 13:06:50 +02:00
Daniel Stenberg
a18a2ba0bb schannel: don't use the connect-timeout during send 
As there's a default connection timeout and this wrongly used the
connection timeout during a transfer after the connection is completed,
this function would trigger timeouts during transfers erroneously.

Bug: http://curl.haxx.se/bug/view.cgi?id=1352
Figured-out-by: Radu Simionescu
 2014-05-05 00:10:37 +02:00
Daniel Stenberg
21aafd09f6 openssl: biomem->data is not zero terminated 
So printf(%s) on it or reading before bounds checking is wrong, fixing
it. Could previously lead to reading out of boundary.

Reported-by: Török Edwin
 2014-05-04 00:50:10 +02:00
Kamil Dudka
9c941e92c4 nss: propagate blocking direction from NSPR I/O 
... during the non-blocking SSL handshake
 2014-04-25 15:08:12 +02:00
Dan Fandrich
0204e17bc6 cyassl: Use error-ssl.h when available 
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use
whichever one is available.
 2014-04-23 11:01:30 +02:00
Daniel Stenberg
386ed2d590 gtls: fix NULL pointer dereference 
gnutls_x509_crt_import() must not be called with a NULL certificate

Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html
Reported-by: Damian Dixon
 2014-04-22 23:24:31 +02:00
Kamil Dudka
8868a226cd nss: implement non-blocking SSL handshake 2014-04-22 22:56:14 +02:00
Kamil Dudka
a43bba3a34 nss: split Curl_nss_connect() into 4 functions 2014-04-22 22:56:14 +02:00
Marc Hoersken
6f72c2fe31 curl_schannel.c: added explicit cast of structure pointers 2014-04-18 22:38:42 +02:00
Marc Hoersken
a703914e60 curl_schannel.c: fix possible dereference of null pointer 2014-04-18 22:36:12 +02:00
Daniel Stenberg
97f214d0c9 http2+openssl: fix compiler warnings in ALPN using code 2014-04-03 17:03:02 +02:00
Daniel Stenberg
6448946ac3 http2: let openssl mention the exact protocol negotiated 
Remove a superfluous "negotiated http2" info line
 2014-03-31 09:00:58 +02:00
Daniel Stenberg
ef813c7097 http2: remove _DRAFT09 from the NPN_HTTP2 enum 
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
 2014-03-31 08:40:24 +02:00
Gisle Vanem
196140dcaf polarssl: avoid extra newlines in debug messages 
The debug messages printed inside PolarSSL always seems to end with a
newline. So 'infof()' should not add one. Besides the trace 'line'
should be 'const'.
 2014-03-22 16:55:39 +01:00
Gaël PORTAY
ff25f437a5 polarssl: break compatibility with version older than 1.3. 
Remove all #ifdef/else/endif macros that ensure compatibility with polarssl
version previous than 1.3.
 2014-03-18 21:01:11 +01:00
Gaël PORTAY
31265376bc polarssl: drop use of 1.2 compatibility header. 
API has changed since version 1.3. A compatibility header has been created
to ensure forward compatibility for code using old API:
 * x509 certificate structure has been renamed to from x509_cert to
   x509_crt
 * new dedicated setter for RSA certificates ssl_set_own_cert_rsa,
   ssl_set_own_cert is for generic keys
 * ssl_default_ciphersuites has been replaced by function
   ssl_list_ciphersuites()

This patch drops the use of the compatibly header.
 2014-03-18 21:01:11 +01:00
Daniel Stenberg
7a1fb8e816 polarssl: added missing end-of-comment from previous commit 2014-03-18 08:03:45 +01:00
Daniel Stenberg
5017d5ada8 polarssl: now require 1.3.0+ 
Also fixed a function name change in the version requirement bump
 2014-03-17 20:48:06 +01:00
hasufell
4d6108315b polarssl: fix compilation 
Rename x509_cert to x509_crt and add "compat-1.2.h"
include.
This would still need some more thorough conversion
in order to drop "compat-1.2.h" include.
 2014-03-17 20:08:45 +01:00
Kamil Dudka
67061e3f4e nss: allow to enable/disable new AES GCM cipher-suites 
... if built against a new enough version of NSS
 2014-03-15 13:07:55 +01:00
Kamil Dudka
c864d81289 nss: allow to enable/disable new HMAC-SHA256 cipher-suites 
... if built against a new enough version of NSS
 2014-03-15 13:07:55 +01:00
Kamil Dudka
b4f6cd46eb nss: do not enable AES cipher-suites by default 
... but allow them to be enabled/disabled explicitly.  The default
policy should be maintained at the NSS level.
 2014-03-15 13:07:55 +01:00
Daniel Stenberg
dcdbac2568 openssl: info massage with SSL version used 
Patch-by: byte_bucket
 2014-03-10 17:13:11 +01:00
Daniel Stenberg
6f416fa462 NSS: avoid compiler warnings when built without http2 support 2014-03-03 08:39:25 +01:00
nickzman
e9665e9658 Merge pull request #93 from d235j/darwinssl_ip_address_fix 
darwinssl: don't omit CN verification when an IP address is used
 2014-02-25 17:36:44 -06:00
Marc Hoersken
e904b15f21 curl_schannel.c: Updated copyright years 2014-02-24 22:12:55 +01:00
David Ryskalczyk
63fc8ee7be winssl: Enable hostname verification of IP address using SAN or CN 
Original commit message was:
 Don't omit CN verification in SChannel when an IP address is used.

Side-effect of this change:
 SChannel and CryptoAPI do not support the iPAddress subjectAltName
 according to RFC 2818. If present, SChannel will first compare the
 IP address to the dNSName subjectAltNames and then fallback to the
 most specific Common Name in the Subject field of the certificate.

 This means that after this change curl will not connect to SSL/TLS
 hosts as long as the IP address is not specified in the SAN or CN
 of the server certificate or the verifyhost option is disabled.
 2014-02-24 22:12:55 +01:00
David Ryskalczyk
afc6e5004f Don't omit CN verification in DarwinSSL when an IP address is used. 2014-02-23 12:37:27 -05:00
Dan Fandrich
8749bbe7fd axtls: comment the call ssl_read repeatedly loop 2014-02-18 21:14:09 +01:00
Daniel Stenberg
575a2b684b axtls: bump copyright year 2014-02-16 23:31:47 +01:00
Fabian Frank
86f266b004 axtls: call ssl_read repeatedly 
Perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. Depending on connection and how often perform is
being called this can save ~25% of time on SSL handshakes (measured
on 20ms latency connection calling perform roughly every 10ms).
 2014-02-16 23:30:21 +01:00
Fabian Frank
ec9476052d openssl: honor --[no-]alpn|npn command line switch 
Disable ALPN or NPN if requested by the user.
 2014-02-11 22:55:23 +01:00
Fabian Frank
8f5a9147be gtls: honor --[no-]alpn command line switch 
Disable ALPN if requested by the user.
 2014-02-11 22:54:37 +01:00
Fabian Frank
909a68c121 NPN/ALPN: allow disabling via command line 
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.

TODO: honor this option with GnuTLS and OpenSSL
 2014-02-10 13:06:17 +01:00
Fabian Frank
70bd9784de nss: use correct preprocessor macro 
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
preprocessor macro.
 2014-02-10 08:09:02 +01:00
Daniel Stenberg
09d907ee68 nss: support pre-ALPN versions 2014-02-07 15:38:45 +01:00
Fabian Frank
f3a12460ad nss: ALPN and NPN support 
Add ALPN and NPN support for NSS. This allows cURL to negotiate
HTTP/2.0 connections when built with NSS.
 2014-02-07 15:35:23 +01:00
Steve Holme
265f2e9ed7 nss: Updated copyright year for recent edits 2014-02-06 22:32:56 +00:00
Fabian Frank
ff92fcfb90 nss: prefer highest available TLS version 
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3
if --tlsv1[.N] was not specified on the command line.
 2014-02-06 23:09:56 +01:00
Fabian Frank
4d8db595ca gtls: add ALPN support 
Add ALPN support when using GnuTLS >= 3.2.0. This allows
libcurl to negotiate HTTP/2.0 for https connections when
built with GnuTLS.

See:
http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
 2014-02-04 09:48:27 +01:00
Fabian Frank
8b6654224b openssl: add ALPN support 
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the
server, who can respond with either one or none of the two. OpenSSL >=
1.0.2 is required, which means as of today obtaining a snapshot from
ftp://ftp.openssl.org/snapshot/.

See:
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
ba168244a1/ssl/ssl_lib.c (L1787)
 2014-02-03 23:46:06 +01:00
Marc Hoersken
82f558366f winssl: improved default SSL/TLS protocol selection 
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2
if it is not explicitly enabled within grbitEnabledProtocols.

More information can be found on MSDN:
http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
 2014-01-31 20:01:25 +01:00
Daniel Stenberg
99b4ff8b6f http2-openssl: verify that NPN functionality is present 2014-01-30 11:24:15 +01:00
Fabian Frank
22c198fa89 openssl: set up hooks with to perform NPN 
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0
connections. It is expected to be replaced by ALPN in the future. If
HTTP/2.0 is negotiated, this is indicated for the entire connection and
http.c is expected to initialize itself for HTTP/2.0 instead of
HTTP/1.1.

see:
http://technotes.googlecode.com/git/nextprotoneg.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
 2014-01-30 11:13:28 +01:00
Kamil Dudka
665c160f0a nss: do not use the NSS_ENABLE_ECC define 
It is not provided by NSS public headers.

Bug: https://bugzilla.redhat.com/1058776
 2014-01-29 13:57:21 +01:00
Kamil Dudka
e15e73b741 nss: do not fail if NSS does not implement a cipher 
... that the user does not ask for
 2014-01-29 13:46:17 +01:00
Fabian Frank
251305cd7f axtls: fix compiler warning on conversion ssize_t => int 2014-01-21 08:21:55 +01:00
Fabian Frank
39f7e80a52 disable GnuTLS insecure ciphers 
Make GnuTLS old and new consistent, specify the desired protocol, cipher
and certificate type in always in both modes. Disable insecure ciphers
as reported by howsmyssl.com. Honor not only --sslv3, but also the
--tlsv1[.N] switches.

Related Bug: http://curl.haxx.se/bug/view.cgi?id=1323
 2014-01-20 11:32:55 +01:00