Steve Holme
2568928070
openssl: Prefer we don't use NULL in comparisons
2014-12-24 16:14:33 +00:00
Steve Holme
a4d9158509
openssl.c Fix for compilation errors with older versions of OpenSSL
...
openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
2014-12-23 00:16:07 +00:00
Daniel Stenberg
6dae798824
openssl: fix SSL/TLS versions in verbose output
2014-12-22 14:21:17 +01:00
Daniel Stenberg
577286e0e2
openssl: make it compile against openssl 1.1.0-DEV master branch
2014-12-22 14:21:17 +01:00
Daniel Stenberg
03e206d18a
openssl: warn for SRP set if SSLv3 is used, not for TLS version
...
... as it requires TLS and it was was left to warn on the default from
when default was SSL...
2014-12-21 23:25:49 +01:00
Nick Zitzmann
93227ddca5
darwinssl: fix incorrect usage of aprintf()
...
Commit b13923f
changed an snprintf() to use aprintf(), but the API usage
wasn't correct, and was causing a crash to occur. This fixes it.
2014-12-15 00:56:09 -06:00
Daniel Stenberg
b13923f0f7
darwinssl: aprintf() to allocate the session key
...
... to avoid using a fixed memory size that risks being too large or too
small.
2014-12-14 17:34:02 +01:00
Marc Hoersken
212e3e26bc
curl_schannel: Improvements to memory re-allocation strategy
...
- do not grow memory by doubling its size
- do not leak previously allocated memory if reallocation fails
- replace while-loop with a single check to make sure
that the requested amount of data fits into the buffer
Bug: http://curl.haxx.se/bug/view.cgi?id=1450
Reported-by: Warren Menzer
2014-12-14 17:27:31 +01:00
Marc Hoersken
c98b50753f
curl_schannel.c: Data may be available before connection shutdown
2014-12-14 16:40:49 +01:00
Daniel Stenberg
145c263a4b
schannel_recv: return the correct code
...
Bug: http://curl.haxx.se/bug/view.cgi?id=1462
Reported-by: Tae Hyoung Ahn
2014-12-09 11:46:11 +01:00
Daniel Stenberg
680d5fd041
http2: avoid logging neg "failure" if h2 was not requested
2014-12-09 00:09:24 +01:00
Daniel Stenberg
26b57832fe
NSS: enable the CAPATH option
...
Bug: http://curl.haxx.se/bug/view.cgi?id=1457
Patch-by: Tomasz Kojm
2014-12-03 06:21:29 -08:00
be1a505189
SSL: Add PEM format support for public key pinning
2014-11-24 19:30:09 +01:00
Steve Holme
bfc63bfb19
vtls.h: Fixed compiler warning when compiled without SSL
...
vtls.c:185:46: warning: unused parameter 'data'
2014-11-09 18:09:58 +00:00
Jay Satiro
e819c3a4ca
SSL: PolarSSL default min SSL version TLS 1.0
...
- Prior to this change no SSL minimum version was set by default at
runtime for PolarSSL. Therefore in most cases PolarSSL would probably
have defaulted to a minimum version of SSLv3 which is no longer secure.
2014-11-04 11:40:51 +01:00
Steve Holme
b04eef1318
openssl: Use 'CURLcode result'
...
More CURLcode fixes.
2014-11-02 00:14:07 +00:00
Steve Holme
f0b4bc12f8
openssl: Use 'CURLcode result'
...
More standardisation of CURLcode usage and coding style.
2014-11-01 17:16:42 +00:00
Steve Holme
14b4707d9a
openssl: Use 'CURLcode result'
...
...and some minor code style changes.
2014-11-01 16:14:05 +00:00
Steve Holme
befbc8f56b
code cleanup: Use 'CURLcode result'
2014-10-30 23:14:45 +00:00
Daniel Stenberg
697aa67d18
openssl: enable NPN separately from ALPN
...
... and allow building with nghttp2 but completely without NPN and ALPN,
as nghttp2 can still be used for plain-text HTTP.
Reported-by: Lucas Pardue
2014-10-29 22:42:46 +01:00
Steve Holme
32913182dc
vtls.c: Fixed compilation warning
...
conversion from 'size_t' to 'unsigned int', possible loss of data
2014-10-29 19:12:27 +00:00
Kamil Dudka
3f430c9c3a
nss: drop the code for libcurl-level downgrade to SSLv3
...
This code was already deactivated by commit
ec783dc142
.
2014-10-29 14:34:46 +01:00
Kamil Dudka
07048941a4
openssl: fix a line length warning
2014-10-29 14:34:46 +01:00
Guenter Knauf
357a15a649
Fixed error message since we require ALPN support.
2014-10-29 01:37:18 +01:00
Guenter Knauf
e42e3a4fac
Check for ALPN via OpenSSL version number.
...
This check works also with to non-configure platforms.
2014-10-29 00:59:38 +01:00
Nick Zitzmann
bd87aec5a7
darwinssl: detect possible future removal of SSLv3 from the framework
...
If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
2014-10-24 18:59:13 -05:00
Patrick Monnerat
3ca560439c
gskit.c: remove SSLv3 from SSL default.
2014-10-24 16:08:21 +02:00
Patrick Monnerat
897ef500e5
gskit.c: use 'CURLcode result'
2014-10-24 15:16:05 +02:00
Jay Satiro
ec783dc142
SSL: Remove SSLv3 from SSL default due to POODLE attack
...
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
openssl effectively making the default TLS 1.x. axTLS is not affected
since it supports only TLS, and gnutls is not affected since it already
defaults to TLS 1.x.
- Update CURLOPT_SSLVERSION doc
2014-10-24 13:41:56 +02:00
Daniel Stenberg
0eb3d15ccb
code cleanup: we prefer 'CURLcode result'
...
... for the local variable name in functions holding the return
code. Using the same name universally makes code easier to read and
follow.
Also, unify code for checking for CURLcode errors with:
if(result) or if(!result)
instead of
if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-24 08:23:19 +02:00
Daniel Stenberg
9f5744a72f
gnutls: removed dead code
...
Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:58 +02:00
Daniel Stenberg
e36115d688
Curl_rand: Uninitialized variable: r
...
This is not actually used uninitialized but we silence warnings.
Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:36 +02:00
Kamil Dudka
0aecdf6828
nss: reset SSL handshake state machine
...
... when the handshake succeeds
This fixes a connection failure when FTPS handle is reused.
2014-10-20 18:55:51 +02:00
Patrick Monnerat
473322ec66
Implement pinned public key in GSKit backend
2014-10-14 14:58:26 +02:00
Daniel Stenberg
9d64ab7d5a
pinning: minor code style policing
2014-10-13 22:22:49 +02:00
Patrick Monnerat
357ff4d1dc
Factorize pinned public key code into generic file handling and backend specific
2014-10-13 18:34:51 +02:00
Patrick Monnerat
265b9a2e49
vtls: remove QsoSSL
2014-10-13 16:33:47 +02:00
Patrick Monnerat
ec8330b21d
gskit: supply dummy randomization function
2014-10-13 15:02:58 +02:00
Patrick Monnerat
8fdf832e5f
vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation
2014-10-13 14:39:50 +02:00
Daniel Stenberg
6637b237e6
vtls: have vtls.h include the backend header files
...
It turned out some features were not enabled in the build since for
example url.c #ifdefs on features that are defined on a per-backend
basis but vtls.h didn't include the backend headers.
CURLOPT_CERTINFO was one such feature that was accidentally disabled.
2014-10-09 22:34:34 +02:00
Kamil Dudka
9e37a7f9a5
nss: do not fail if a CRL is already cached
...
This fixes a copy-paste mistake from commit 2968f957
.
2014-10-08 17:31:04 +02:00
e644866caf
GnuTLS: Implement public key pinning
2014-10-07 14:55:39 +02:00
93e450793c
SSL: implement public key pinning
...
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).
Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
2014-10-07 14:44:19 +02:00
Marc Hoersken
330346d51c
curl_schannel.c: Fixed possible memory or handle leak
...
First try to fix possible memory leaks, in this case:
Only connssl->ctxt xor onnssl->cred being initialized.
2014-10-04 18:24:23 +02:00
Daniel Stenberg
d57d041d67
curlssl: make tls backend symbols use curlssl in the name
2014-09-13 15:31:12 +02:00
Daniel Stenberg
4c2e40a488
url: let the backend decide CURLOPT_SSL_CTX_ support
...
... to further remove specific TLS backend knowledge from url.c
2014-09-13 15:28:08 +02:00
Daniel Stenberg
7494f0f498
vtls: have the backend tell if it supports CERTINFO
2014-09-13 15:11:26 +02:00
Daniel Stenberg
8250f93d41
CURLOPT_CAPATH: return failure if set without backend support
2014-09-13 14:56:27 +02:00
Paul Howarth
785395b07e
openssl: build fix for versions < 0.9.8e
...
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-09-10 13:09:42 +02:00
Daniel Stenberg
921a0c22a6
polarassl: avoid memset() when clearing the first byte is enough
2014-09-08 10:11:34 +02:00