Dmitry Eremin-Solenikov
d5aab55b33
gtls: don't fail on non-fatal alerts during handshake
...
Stop curl from failing when non-fatal alert is received during
handshake. This e.g. fixes lots of problems when working with https
sites through proxies.
2015-05-20 22:41:30 +02:00
Brian Prodoehl
a393d64456
openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
...
BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
OpenSSL.
re #275
2015-05-19 22:54:42 +02:00
Alessandro Ghedini
a5e09e9eea
gtls: properly retrieve certificate status
...
Also print the revocation reason if appropriate.
2015-05-04 13:42:45 +02:00
Daniel Stenberg
86bc654532
OpenSSL: conditional check for SSL3_RT_HEADER
...
The symbol is fairly new.
Reported-by: Kamil Dudka
2015-05-04 13:29:34 +02:00
Daniel Stenberg
690317aae2
openssl: skip trace outputs for ssl_ver == 0
...
The OpenSSL trace callback is wonderfully undocumented but given a
journey in the source code, it seems the cases were ssl_ver is zero
doesn't follow the same pattern and thus turned out confusing and
misleading. For now, we skip doing any CURLINFO_TEXT logging on those
but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
Also, I added direction to the text info and I edited some functions
slightly.
Bug: https://github.com/bagder/curl/issues/219
Reported-by: Jay Satiro, Ashish Shukla
2015-05-04 12:27:59 +02:00
Marc Hoersken
3c104448d6
schannel.c: Small changes
2015-05-02 22:21:25 +02:00
Marc Hoersken
ae8387b91c
schannel.c: Improve code path and readability
2015-05-02 20:14:53 +02:00
Marc Hoersken
d93619ca5d
schannel.c: Improve error and return code handling upon aa99a63f03
2015-05-02 20:05:22 +02:00
Chris Araman
aa99a63f03
schannel: fix regression in schannel_recv
...
https://github.com/bagder/curl/issues/244
Commit 145c263
changed the behavior when Curl_read_plain returns
CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
correctly.
2015-05-02 18:54:13 +02:00
Marc Hoersken
4bb8bad964
Bug born in changes made several days ago 9a91e80
.
...
Commit: https://github.com/bagder/curl/commit/926cb9f
Reported-by: Ray Satiro
2015-05-01 09:39:34 +02:00
Jay Satiro
926cb9ff65
schannel: Fix out of bounds array
...
Bug born in changes made several days ago 9a91e80
.
Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
Reported-by: Brian Chrisman
2015-04-30 01:44:45 -04:00
Paul Howarth
d4f62f6c5d
nss: fix compilation failure with old versions of NSS
...
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
2015-04-27 15:37:16 +02:00
Marc Hoersken
92e754de78
schannel.c: Fix typo introduced with 3447c973d0
2015-04-26 19:57:05 +02:00
Marc Hoersken
9a91e8059b
schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
...
Reported-by: Brian Chrisman
2015-04-26 17:59:01 +02:00
Daniel Stenberg
3447c973d0
schannel: re-indented file to follow curl style better
...
white space changes only
2015-04-26 17:40:40 +02:00
Daniel Stenberg
cae43a10cb
Curl_ossl_init: load builtin modules
...
To have engine modules work, we must tell openssl to load builtin
modules first.
Bug: https://github.com/bagder/curl/pull/206
2015-04-26 17:26:31 +02:00
Daniel Stenberg
aff153f83a
openssl: fix serial number output
...
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
2015-04-26 16:36:19 +02:00
Jay Satiro
0675abbc75
cyassl: Implement public key pinning
...
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-22 17:07:19 -04:00
Kamil Dudka
b47c17d67c
nss: implement public key pinning for NSS backend
...
Bug: https://bugzilla.redhat.com/1195771
2015-04-22 13:21:31 +02:00
byronhe
6088fbce06
openssl: add OPENSSL_NO_SSL3_METHOD check
2015-04-21 15:25:21 -04:00
Viktor Szakáts
3a87bdebd1
vtls/openssl: use https in URLs and a comment typo fixed
2015-04-19 19:52:37 +02:00
Jay Satiro
f70112522f
cyassl: Fix include order
...
Prior to this change CyaSSL's build options could redefine some generic
build symbols.
http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-17 15:24:04 -04:00
Jay Satiro
9430dd583e
cyassl: Add support for TLS extension SNI
2015-04-14 02:05:25 -04:00
Matthew Hall
a471a9f3b6
vtls_openssl: improve PKCS#12 load failure error message
2015-04-13 22:25:04 +02:00
Matthew Hall
27ac643455
vtls_openssl: fix minor typo in PKCS#12 load routine
2015-04-13 22:25:04 +02:00
Matthew Hall
b3175a767d
vtls_openssl: improve client certificate load failure error messages
2015-04-13 22:25:04 +02:00
Matthew Hall
58b0a8b059
vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant
2015-04-13 22:25:04 +02:00
Jay Satiro
72bea7cc65
cyassl: Include the CyaSSL build config
...
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
2015-04-11 23:58:42 -04:00
Jay Satiro
d363c07912
cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
...
Also fix it so that all ERR_error_string calls use an error buffer.
CyaSSL's implementation of ERR_error_string only writes the error when
an error buffer is passed.
http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-06 17:54:14 +02:00
Jay Satiro
a30be951d6
cyassl: Remove 'Connecting to' message from cyassl_connect_step2
...
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
messages since cyassl_connect_step2 is called multiple times, typically.
The message is superfluous even once since libcurl already informs the
user elsewhere in code that it is connecting.
2015-04-05 18:18:11 +02:00
Jay Satiro
f203edc544
cyassl: Set minimum protocol version before CTX callback
...
This change is to allow the user's CTX callback to change the minimum
protocol version in the CTX without us later overriding it, as we did
prior to this change.
2015-04-03 10:51:58 +02:00
Jay Satiro
0b5efa57ad
cyassl: Fix certificate load check
...
SSL_CTX_load_verify_locations can return negative values on fail,
therefore to check for failure we check if load is != 1 (success)
instead of if load is == 0 (failure), the latter being incorrect given
that behavior.
2015-04-02 17:18:42 +02:00
Jay Satiro
b121633402
cyassl: Fix library initialization return value
...
(Curl_cyassl_init)
- Return 1 on success, 0 in failure.
Prior to this change the fail path returned an incorrect value and the
evaluation to determine whether CyaSSL_Init had succeeded was incorrect.
Ironically that combined with the way curl_global_init tests SSL library
initialization (!Curl_ssl_init()) meant that CyaSSL having been
successfully initialized would be seen as that even though the code path
and return value in Curl_cyassl_init were wrong.
2015-04-01 08:10:58 +02:00
Dan Fandrich
049fe7fb53
axtls: add timeout within Curl_axtls_connect
...
This allows test 405 to pass on axTLS.
2015-03-31 02:04:22 +02:00
Jay Satiro
fcdc597b1a
cyassl: CTX callback cosmetic changes and doc fix
...
- More descriptive fail message for NO_FILESYSTEM builds.
- Cosmetic changes.
- Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.
2015-03-28 16:41:51 +01:00
Kyle L. Huff
d2feb71752
cyassl: add SSL context callback support for CyaSSL
...
Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better
handles CyaSSL instances using NO_FILESYSTEM.
2015-03-27 23:32:14 +01:00
Kyle L. Huff
211f1e3c6b
cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
...
CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or
CyaSSL. This reference causes build errors when compiling with
NO_FILESYSTEM.
2015-03-27 23:31:12 +01:00
Jay Satiro
e7a289ebb9
vtls: Don't accept unknown CURLOPT_SSLVERSION values
2015-03-27 09:32:23 +01:00
Daniel Stenberg
5b58bface3
polarssl: called mbedTLS in 1.3.10 and later
2015-03-25 09:19:57 +01:00
Daniel Stenberg
83b29e43cd
polarssl: remove dead code
...
and simplify code by changing if-elses to a switch()
CID 1291706: Logically dead code. Execution cannot reach this statement
2015-03-25 09:01:11 +01:00
Daniel Stenberg
24908c12d7
polarssl: remove superfluous for(;;) loop
...
"unreachable: Since the loop increment is unreachable, the loop body
will never execute more than once."
Coverity CID 1291707
2015-03-25 08:49:34 +01:00
Daniel Stenberg
4e299192ed
Curl_ssl_md5sum: return CURLcode
...
... since the funciton can fail on OOM. Check this return code.
Coverity CID 1291705.
2015-03-25 08:32:12 +01:00
Jay Satiro
e35f2e61ec
cyassl: default to highest possible TLS version
...
(cyassl_connect_step1)
- Use TLS 1.0-1.2 by default when available.
CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade
version.
cyassl/cyassl@322f79f
2015-03-25 08:10:24 +01:00
Jay Satiro
d29f8b460c
cyassl: Check for invalid length parameter in Curl_cyassl_random
2015-03-25 08:08:12 +01:00
Jay Satiro
ec31962640
cyassl: If wolfSSL then identify as such in version string
2015-03-25 08:08:12 +01:00
Dan Fandrich
35648f2e79
curl_memory: make curl_memory.h the second-last header file loaded
...
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
2015-03-24 23:47:01 +01:00
Daniel Stenberg
ac2827ac09
openssl: do the OCSP work-around for libressl too
...
I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
still require the work-around for stapling to work.
2015-03-24 23:39:52 +01:00
Daniel Stenberg
bd9ac3cff2
openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
...
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
Reported-by: Alessandro Ghedini
2015-03-24 23:06:37 +01:00
Daniel Stenberg
7e6ca87a72
openssl: adapt to ASN1/X509 things gone opaque in 1.1
2015-03-24 22:59:33 +01:00
Dan Fandrich
56ae66d518
vtls: fix compile with --disable-crypto-auth but with SSL
...
This is a strange combination of options, but is allowed.
2015-03-24 21:41:22 +01:00