316f79cef2
ALPN: fix typo in http/1.1 identifier
...
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05
it is "http/1.1" and not "http/1.0".
2014-05-20 12:57:56 +02:00
5a067c4b39
axtls: Fixed too long source line
2014-05-17 11:54:48 +02:00
c9ea1d341a
axtls: Add a TODO to a potential blocking call with no timeout
2014-05-16 23:27:07 +02:00
53a5b95c21
CURLINFO_SSL_VERIFYRESULT: assign at first connect call
...
The variable wasn't assigned at all until step3 which would lead to a
failed connect never assigning the variable and thus returning a bad
value.
Reported-by: Larry Lin
Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
2014-05-15 22:02:00 +02:00
678239df54
darwinssl: Updated copyright following recent changes
2014-05-15 18:38:42 +01:00
69cdc95932
darwinssl: fix potential crash when attempting to copy an identity
...
from a P12 file
This could've happened if SecPKCS12Import() returned noErr _and_ no
identity.
2014-05-14 17:48:14 -05:00
52d16c84d2
openssl: unbreak PKCS12 support
...
Regression introduced in ce362e8eb9http://curl.haxx.se/bug/view.cgi?id=1371
Reported-by: Dmitry
2014-05-12 13:06:50 +02:00
a18a2ba0bb
schannel: don't use the connect-timeout during send
...
As there's a default connection timeout and this wrongly used the
connection timeout during a transfer after the connection is completed,
this function would trigger timeouts during transfers erroneously.
Bug: http://curl.haxx.se/bug/view.cgi?id=1352
Figured-out-by: Radu Simionescu
2014-05-05 00:10:37 +02:00
21aafd09f6
openssl: biomem->data is not zero terminated
...
So printf(%s) on it or reading before bounds checking is wrong, fixing
it. Could previously lead to reading out of boundary.
Reported-by: Török Edwin
2014-05-04 00:50:10 +02:00
9c941e92c4
nss: propagate blocking direction from NSPR I/O
...
... during the non-blocking SSL handshake
2014-04-25 15:08:12 +02:00
0204e17bc6
cyassl: Use error-ssl.h when available
...
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use
whichever one is available.
2014-04-23 11:01:30 +02:00
386ed2d590
gtls: fix NULL pointer dereference
...
gnutls_x509_crt_import() must not be called with a NULL certificate
Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html
Reported-by: Damian Dixon
2014-04-22 23:24:31 +02:00
8868a226cd
nss: implement non-blocking SSL handshake
2014-04-22 22:56:14 +02:00
a43bba3a34
nss: split Curl_nss_connect() into 4 functions
2014-04-22 22:56:14 +02:00
6f72c2fe31
curl_schannel.c: added explicit cast of structure pointers
2014-04-18 22:38:42 +02:00
a703914e60
curl_schannel.c: fix possible dereference of null pointer
2014-04-18 22:36:12 +02:00
97f214d0c9
http2+openssl: fix compiler warnings in ALPN using code
2014-04-03 17:03:02 +02:00
6448946ac3
http2: let openssl mention the exact protocol negotiated
...
Remove a superfluous "negotiated http2" info line
2014-03-31 09:00:58 +02:00
ef813c7097
http2: remove _DRAFT09 from the NPN_HTTP2 enum
...
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
2014-03-31 08:40:24 +02:00
196140dcaf
polarssl: avoid extra newlines in debug messages
...
The debug messages printed inside PolarSSL always seems to end with a
newline. So 'infof()' should not add one. Besides the trace 'line'
should be 'const'.
2014-03-22 16:55:39 +01:00
ff25f437a5
polarssl: break compatibility with version older than 1.3.
...
Remove all #ifdef/else/endif macros that ensure compatibility with polarssl
version previous than 1.3.
2014-03-18 21:01:11 +01:00
31265376bc
polarssl: drop use of 1.2 compatibility header.
...
API has changed since version 1.3. A compatibility header has been created
to ensure forward compatibility for code using old API:
* x509 certificate structure has been renamed to from x509_cert to
x509_crt
* new dedicated setter for RSA certificates ssl_set_own_cert_rsa,
ssl_set_own_cert is for generic keys
* ssl_default_ciphersuites has been replaced by function
ssl_list_ciphersuites()
This patch drops the use of the compatibly header.
2014-03-18 21:01:11 +01:00
7a1fb8e816
polarssl: added missing end-of-comment from previous commit
2014-03-18 08:03:45 +01:00
5017d5ada8
polarssl: now require 1.3.0+
...
Also fixed a function name change in the version requirement bump
2014-03-17 20:48:06 +01:00
4d6108315b
polarssl: fix compilation
...
Rename x509_cert to x509_crt and add "compat-1.2.h"
include.
This would still need some more thorough conversion
in order to drop "compat-1.2.h" include.
2014-03-17 20:08:45 +01:00
67061e3f4e
nss: allow to enable/disable new AES GCM cipher-suites
...
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
c864d81289
nss: allow to enable/disable new HMAC-SHA256 cipher-suites
...
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
b4f6cd46eb
nss: do not enable AES cipher-suites by default
...
... but allow them to be enabled/disabled explicitly. The default
policy should be maintained at the NSS level.
2014-03-15 13:07:55 +01:00
dcdbac2568
openssl: info massage with SSL version used
...
Patch-by: byte_bucket
2014-03-10 17:13:11 +01:00
6f416fa462
NSS: avoid compiler warnings when built without http2 support
2014-03-03 08:39:25 +01:00
e9665e9658
Merge pull request #93 from d235j/darwinssl_ip_address_fix
...
darwinssl: don't omit CN verification when an IP address is used
2014-02-25 17:36:44 -06:00
e904b15f21
curl_schannel.c: Updated copyright years
2014-02-24 22:12:55 +01:00
63fc8ee7be
winssl: Enable hostname verification of IP address using SAN or CN
...
Original commit message was:
Don't omit CN verification in SChannel when an IP address is used.
Side-effect of this change:
SChannel and CryptoAPI do not support the iPAddress subjectAltName
according to RFC 2818. If present, SChannel will first compare the
IP address to the dNSName subjectAltNames and then fallback to the
most specific Common Name in the Subject field of the certificate.
This means that after this change curl will not connect to SSL/TLS
hosts as long as the IP address is not specified in the SAN or CN
of the server certificate or the verifyhost option is disabled.
2014-02-24 22:12:55 +01:00
afc6e5004f
Don't omit CN verification in DarwinSSL when an IP address is used.
2014-02-23 12:37:27 -05:00
8749bbe7fd
axtls: comment the call ssl_read repeatedly loop
2014-02-18 21:14:09 +01:00
575a2b684b
axtls: bump copyright year
2014-02-16 23:31:47 +01:00
86f266b004
axtls: call ssl_read repeatedly
...
Perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. Depending on connection and how often perform is
being called this can save ~25% of time on SSL handshakes (measured
on 20ms latency connection calling perform roughly every 10ms).
2014-02-16 23:30:21 +01:00
ec9476052d
openssl: honor --[no-]alpn|npn command line switch
...
Disable ALPN or NPN if requested by the user.
2014-02-11 22:55:23 +01:00
8f5a9147be
gtls: honor --[no-]alpn command line switch
...
Disable ALPN if requested by the user.
2014-02-11 22:54:37 +01:00
909a68c121
NPN/ALPN: allow disabling via command line
...
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.
TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
70bd9784de
nss: use correct preprocessor macro
...
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
preprocessor macro.
2014-02-10 08:09:02 +01:00
09d907ee68
nss: support pre-ALPN versions
2014-02-07 15:38:45 +01:00
f3a12460ad
nss: ALPN and NPN support
...
Add ALPN and NPN support for NSS. This allows cURL to negotiate
HTTP/2.0 connections when built with NSS.
2014-02-07 15:35:23 +01:00
265f2e9ed7
nss: Updated copyright year for recent edits
2014-02-06 22:32:56 +00:00
ff92fcfb90
nss: prefer highest available TLS version
...
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3
if --tlsv1[.N] was not specified on the command line.
2014-02-06 23:09:56 +01:00
4d8db595ca
gtls: add ALPN support
...
Add ALPN support when using GnuTLS >= 3.2.0. This allows
libcurl to negotiate HTTP/2.0 for https connections when
built with GnuTLS.
See:
http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-04 09:48:27 +01:00
8b6654224b
openssl: add ALPN support
...
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the
server, who can respond with either one or none of the two. OpenSSL >=
1.0.2 is required, which means as of today obtaining a snapshot from
ftp://ftp.openssl.org/snapshot/.
See:
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
ba168244a1/ssl/ssl_lib.c (L1787)
2014-02-03 23:46:06 +01:00
82f558366f
winssl: improved default SSL/TLS protocol selection
...
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2
if it is not explicitly enabled within grbitEnabledProtocols.
More information can be found on MSDN:
http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
2014-01-31 20:01:25 +01:00
99b4ff8b6f
http2-openssl: verify that NPN functionality is present
2014-01-30 11:24:15 +01:00
22c198fa89
openssl: set up hooks with to perform NPN
...
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0
connections. It is expected to be replaced by ALPN in the future. If
HTTP/2.0 is negotiated, this is indicated for the entire connection and
http.c is expected to initialize itself for HTTP/2.0 instead of
HTTP/1.1.
see:
http://technotes.googlecode.com/git/nextprotoneg.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-01-30 11:13:28 +01:00
Fabian Frank