Fabian Frank
316f79cef2
ALPN: fix typo in http/1.1 identifier
...
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05
it is "http/1.1" and not "http/1.0".
2014-05-20 12:57:56 +02:00
Dan Fandrich
5a067c4b39
axtls: Fixed too long source line
2014-05-17 11:54:48 +02:00
Dan Fandrich
c9ea1d341a
axtls: Add a TODO to a potential blocking call with no timeout
2014-05-16 23:27:07 +02:00
Daniel Stenberg
53a5b95c21
CURLINFO_SSL_VERIFYRESULT: assign at first connect call
...
The variable wasn't assigned at all until step3 which would lead to a
failed connect never assigning the variable and thus returning a bad
value.
Reported-by: Larry Lin
Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
2014-05-15 22:02:00 +02:00
Steve Holme
678239df54
darwinssl: Updated copyright following recent changes
2014-05-15 18:38:42 +01:00
Nick Zitzmann
69cdc95932
darwinssl: fix potential crash when attempting to copy an identity
...
from a P12 file
This could've happened if SecPKCS12Import() returned noErr _and_ no
identity.
2014-05-14 17:48:14 -05:00
Daniel Stenberg
52d16c84d2
openssl: unbreak PKCS12 support
...
Regression introduced in ce362e8eb9
(7.31.0)
Bug: http://curl.haxx.se/bug/view.cgi?id=1371
Reported-by: Dmitry
2014-05-12 13:06:50 +02:00
Daniel Stenberg
a18a2ba0bb
schannel: don't use the connect-timeout during send
...
As there's a default connection timeout and this wrongly used the
connection timeout during a transfer after the connection is completed,
this function would trigger timeouts during transfers erroneously.
Bug: http://curl.haxx.se/bug/view.cgi?id=1352
Figured-out-by: Radu Simionescu
2014-05-05 00:10:37 +02:00
Daniel Stenberg
21aafd09f6
openssl: biomem->data is not zero terminated
...
So printf(%s) on it or reading before bounds checking is wrong, fixing
it. Could previously lead to reading out of boundary.
Reported-by: Török Edwin
2014-05-04 00:50:10 +02:00
Kamil Dudka
9c941e92c4
nss: propagate blocking direction from NSPR I/O
...
... during the non-blocking SSL handshake
2014-04-25 15:08:12 +02:00
Dan Fandrich
0204e17bc6
cyassl: Use error-ssl.h when available
...
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use
whichever one is available.
2014-04-23 11:01:30 +02:00
Daniel Stenberg
386ed2d590
gtls: fix NULL pointer dereference
...
gnutls_x509_crt_import() must not be called with a NULL certificate
Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html
Reported-by: Damian Dixon
2014-04-22 23:24:31 +02:00
Kamil Dudka
8868a226cd
nss: implement non-blocking SSL handshake
2014-04-22 22:56:14 +02:00
Kamil Dudka
a43bba3a34
nss: split Curl_nss_connect() into 4 functions
2014-04-22 22:56:14 +02:00
Marc Hoersken
6f72c2fe31
curl_schannel.c: added explicit cast of structure pointers
2014-04-18 22:38:42 +02:00
Marc Hoersken
a703914e60
curl_schannel.c: fix possible dereference of null pointer
2014-04-18 22:36:12 +02:00
Daniel Stenberg
97f214d0c9
http2+openssl: fix compiler warnings in ALPN using code
2014-04-03 17:03:02 +02:00
Daniel Stenberg
6448946ac3
http2: let openssl mention the exact protocol negotiated
...
Remove a superfluous "negotiated http2" info line
2014-03-31 09:00:58 +02:00
Daniel Stenberg
ef813c7097
http2: remove _DRAFT09 from the NPN_HTTP2 enum
...
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
2014-03-31 08:40:24 +02:00
Gisle Vanem
196140dcaf
polarssl: avoid extra newlines in debug messages
...
The debug messages printed inside PolarSSL always seems to end with a
newline. So 'infof()' should not add one. Besides the trace 'line'
should be 'const'.
2014-03-22 16:55:39 +01:00
Gaël PORTAY
ff25f437a5
polarssl: break compatibility with version older than 1.3.
...
Remove all #ifdef/else/endif macros that ensure compatibility with polarssl
version previous than 1.3.
2014-03-18 21:01:11 +01:00
Gaël PORTAY
31265376bc
polarssl: drop use of 1.2 compatibility header.
...
API has changed since version 1.3. A compatibility header has been created
to ensure forward compatibility for code using old API:
* x509 certificate structure has been renamed to from x509_cert to
x509_crt
* new dedicated setter for RSA certificates ssl_set_own_cert_rsa,
ssl_set_own_cert is for generic keys
* ssl_default_ciphersuites has been replaced by function
ssl_list_ciphersuites()
This patch drops the use of the compatibly header.
2014-03-18 21:01:11 +01:00
Daniel Stenberg
7a1fb8e816
polarssl: added missing end-of-comment from previous commit
2014-03-18 08:03:45 +01:00
Daniel Stenberg
5017d5ada8
polarssl: now require 1.3.0+
...
Also fixed a function name change in the version requirement bump
2014-03-17 20:48:06 +01:00
hasufell
4d6108315b
polarssl: fix compilation
...
Rename x509_cert to x509_crt and add "compat-1.2.h"
include.
This would still need some more thorough conversion
in order to drop "compat-1.2.h" include.
2014-03-17 20:08:45 +01:00
Kamil Dudka
67061e3f4e
nss: allow to enable/disable new AES GCM cipher-suites
...
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
Kamil Dudka
c864d81289
nss: allow to enable/disable new HMAC-SHA256 cipher-suites
...
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
Kamil Dudka
b4f6cd46eb
nss: do not enable AES cipher-suites by default
...
... but allow them to be enabled/disabled explicitly. The default
policy should be maintained at the NSS level.
2014-03-15 13:07:55 +01:00
Daniel Stenberg
dcdbac2568
openssl: info massage with SSL version used
...
Patch-by: byte_bucket
2014-03-10 17:13:11 +01:00
Daniel Stenberg
6f416fa462
NSS: avoid compiler warnings when built without http2 support
2014-03-03 08:39:25 +01:00
nickzman
e9665e9658
Merge pull request #93 from d235j/darwinssl_ip_address_fix
...
darwinssl: don't omit CN verification when an IP address is used
2014-02-25 17:36:44 -06:00
Marc Hoersken
e904b15f21
curl_schannel.c: Updated copyright years
2014-02-24 22:12:55 +01:00
David Ryskalczyk
63fc8ee7be
winssl: Enable hostname verification of IP address using SAN or CN
...
Original commit message was:
Don't omit CN verification in SChannel when an IP address is used.
Side-effect of this change:
SChannel and CryptoAPI do not support the iPAddress subjectAltName
according to RFC 2818. If present, SChannel will first compare the
IP address to the dNSName subjectAltNames and then fallback to the
most specific Common Name in the Subject field of the certificate.
This means that after this change curl will not connect to SSL/TLS
hosts as long as the IP address is not specified in the SAN or CN
of the server certificate or the verifyhost option is disabled.
2014-02-24 22:12:55 +01:00
David Ryskalczyk
afc6e5004f
Don't omit CN verification in DarwinSSL when an IP address is used.
2014-02-23 12:37:27 -05:00
Dan Fandrich
8749bbe7fd
axtls: comment the call ssl_read repeatedly loop
2014-02-18 21:14:09 +01:00
Daniel Stenberg
575a2b684b
axtls: bump copyright year
2014-02-16 23:31:47 +01:00
Fabian Frank
86f266b004
axtls: call ssl_read repeatedly
...
Perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. Depending on connection and how often perform is
being called this can save ~25% of time on SSL handshakes (measured
on 20ms latency connection calling perform roughly every 10ms).
2014-02-16 23:30:21 +01:00
Fabian Frank
ec9476052d
openssl: honor --[no-]alpn|npn command line switch
...
Disable ALPN or NPN if requested by the user.
2014-02-11 22:55:23 +01:00
Fabian Frank
8f5a9147be
gtls: honor --[no-]alpn command line switch
...
Disable ALPN if requested by the user.
2014-02-11 22:54:37 +01:00
Fabian Frank
909a68c121
NPN/ALPN: allow disabling via command line
...
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.
TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
Fabian Frank
70bd9784de
nss: use correct preprocessor macro
...
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
preprocessor macro.
2014-02-10 08:09:02 +01:00
Daniel Stenberg
09d907ee68
nss: support pre-ALPN versions
2014-02-07 15:38:45 +01:00
Fabian Frank
f3a12460ad
nss: ALPN and NPN support
...
Add ALPN and NPN support for NSS. This allows cURL to negotiate
HTTP/2.0 connections when built with NSS.
2014-02-07 15:35:23 +01:00
Steve Holme
265f2e9ed7
nss: Updated copyright year for recent edits
2014-02-06 22:32:56 +00:00
Fabian Frank
ff92fcfb90
nss: prefer highest available TLS version
...
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3
if --tlsv1[.N] was not specified on the command line.
2014-02-06 23:09:56 +01:00
Fabian Frank
4d8db595ca
gtls: add ALPN support
...
Add ALPN support when using GnuTLS >= 3.2.0. This allows
libcurl to negotiate HTTP/2.0 for https connections when
built with GnuTLS.
See:
http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-04 09:48:27 +01:00
Fabian Frank
8b6654224b
openssl: add ALPN support
...
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the
server, who can respond with either one or none of the two. OpenSSL >=
1.0.2 is required, which means as of today obtaining a snapshot from
ftp://ftp.openssl.org/snapshot/.
See:
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
ba168244a1/ssl/ssl_lib.c (L1787)
2014-02-03 23:46:06 +01:00
Marc Hoersken
82f558366f
winssl: improved default SSL/TLS protocol selection
...
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2
if it is not explicitly enabled within grbitEnabledProtocols.
More information can be found on MSDN:
http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
2014-01-31 20:01:25 +01:00
Daniel Stenberg
99b4ff8b6f
http2-openssl: verify that NPN functionality is present
2014-01-30 11:24:15 +01:00
Fabian Frank
22c198fa89
openssl: set up hooks with to perform NPN
...
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0
connections. It is expected to be replaced by ALPN in the future. If
HTTP/2.0 is negotiated, this is indicated for the entire connection and
http.c is expected to initialize itself for HTTP/2.0 instead of
HTTP/1.1.
see:
http://technotes.googlecode.com/git/nextprotoneg.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-01-30 11:13:28 +01:00