1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 16:48:49 -05:00
Go to file
Jay Satiro 78cef06847 openssl: Revert to less sensitivity for SYSCALL errors
- Disable the extra sensitivity except in debug builds (--enable-debug).

- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
  "No error" / "Success" socket error text isn't shown on SYSCALL error.

Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.

To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.

Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.

This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.

Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke

Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
2019-11-22 22:29:39 -05:00
.github CI: inintial github action job 2019-09-14 20:25:43 +02:00
CMake copyrights: update all copyright notices to 2019 on files changed this year 2019-11-02 23:15:56 +01:00
docs test1175: verify symbols-in-versions and libcurl-errors.3 in sync 2019-11-22 09:11:53 +01:00
include include: make CURLE_HTTP3 use a new error code 2019-11-21 23:16:29 +01:00
lib openssl: Revert to less sensitivity for SYSCALL errors 2019-11-22 22:29:39 -05:00
m4 ESNI: initial build/setup 2019-10-02 12:33:08 +02:00
packages projects: Fix Visual Studio wolfSSL configurations 2019-11-18 18:42:34 -05:00
plan9 plan9: fix installation instructions 2019-08-29 19:24:59 +02:00
projects projects: Fix Visual Studio wolfSSL configurations 2019-11-18 18:42:34 -05:00
scripts scripts/contributors: make committers get included too 2019-11-08 09:45:58 +01:00
src curl: add --parallel-immediate 2019-11-21 16:36:10 +01:00
tests test1175: verify symbols-in-versions and libcurl-errors.3 in sync 2019-11-22 09:11:53 +01:00
winbuild winbuild: add ENABLE_UNICODE option 2019-10-04 11:29:08 +02:00
.cirrus.yml cirrus: switch off blackhole status on the freebsd CI machines 2019-10-09 14:16:28 +02:00
.dir-locals.el Add .dir-locals and set c-basic-offset to 2. 2015-12-23 10:16:14 +01:00
.gitattributes .gitattributes: make tabs in indentation a visible error 2018-12-06 20:21:17 +01:00
.gitignore scripts/completion.pl: also generate fish completion file 2019-03-02 11:31:18 +01:00
.lgtm.yml CI: remove duplicate configure flag for LGTM.com 2019-08-31 11:40:09 +02:00
.mailmap mailmap: fixup Massimiliano Fantuzzi 2019-11-08 09:46:48 +01:00
.travis-iconv-env.sh travis: add build with iconv enabled 2018-02-15 14:18:34 +01:00
.travis.yml checksrc: repair the copyrightyear check 2019-11-08 14:51:42 +01:00
acinclude.m4 configure: add --with-amissl 2019-03-15 10:22:42 +01:00
appveyor.yml appveyor: publish artifacts on appveyor 2019-10-30 09:41:38 +01:00
buildconf includes: remove curl/curlbuild.h and curl/curlrules.h 2017-06-14 11:07:33 +02:00
buildconf.bat copyrights: update all copyright notices to 2019 on files changed this year 2019-11-02 23:15:56 +01:00
CHANGES CHANGES: spell fix, use correct path to script 2017-02-07 08:22:37 +01:00
CMakeLists.txt build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines 2019-10-05 19:18:30 -04:00
configure.ac configure: fix typo in help text 2019-11-08 01:35:33 -05:00
COPYING COPYING: it's 2019 2019-01-19 20:26:31 +01:00
curl-config.in curl-config.in: remove dependency on bc 2018-10-26 00:06:19 +02:00
GIT-INFO CHANGES.0: removed 2017-02-07 08:20:10 +01:00
libcurl.pc.in URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
MacOSX-Framework includes: remove curl/curlbuild.h and curl/curlrules.h 2017-06-14 11:07:33 +02:00
Makefile.am plan9: add support for running on Plan 9 2019-07-31 00:23:25 +02:00
Makefile.dist build: remove the Borland specific makefiles 2018-06-02 11:23:40 +02:00
maketgz maketgz: delete .bak files, fix indentation 2018-06-15 23:28:34 +00:00
README docs: minor polish to the bug bounty / security docs 2019-04-29 08:09:10 +02:00
README.md README: minor grammar fix 2019-09-26 23:28:10 +02:00
RELEASE-NOTES bump: next release will be 7.68.0 2019-11-21 16:36:19 +01:00
SECURITY.md SECURITY.md: created 2019-06-10 10:16:02 +02:00

curl logo

CII Best Practices Coverity passed Travis-CI Build Status AppVeyor Build Status Cirrus Build Status Coverage Status Backers on Open Collective Sponsors on Open Collective Language Grade: C/C++ Codacy Badge Fuzzing Status

Curl is a command-line tool for transferring data specified with URL syntax. Find out how to use curl by reading the curl.1 man page or the MANUAL document. Find out how to install Curl by reading the INSTALL document.

libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl.3 man page to learn how!

You can find answers to the most frequent questions we get in the FAQ document.

Study the COPYING file for distribution terms and similar. If you distribute curl binaries or other binaries that involve libcurl, you might enjoy the LICENSE-MIXING document.

Contact

If you have problems, questions, ideas or suggestions, please contact us by posting to a suitable mailing list.

All contributors to the project are listed in the THANKS document.

Website

Visit the curl web site for the latest news and downloads.

Git

To download the very latest source from the Git server do this:

git clone https://github.com/curl/curl.git

(you'll get a directory named curl created, filled with the source code)

Security problems

Report suspected security problems via our HackerOne page and not in public!

Notice

Curl contains pieces of source code that is Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan. This notice is included here to comply with the distribution terms.

Backers

Thank you to all our backers! 🙏 [Become a backer]

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]