summaryrefslogtreecommitdiff
path: root/lib/ssluse.c
Commit message (Collapse)AuthorAgeFilesLines
* vtls: moved all TLS/SSL source and header files into subdirDaniel Stenberg2013-12-201-2731/+0
|
* vtls: created subdir, moved sslgen.[ch] there, updated all include linesDaniel Stenberg2013-12-201-1/+1
|
* SSL: Follow up work to commits 6a1363128f1107 and 87861c9b0e8155Steve Holme2013-10-171-9/+3
| | | | | | Changed the failure code when TLS v1.1 and v1.2 is requested but not supported by older OpenSSL versions, following review from libcurl peers, and reduced the number of required preprocessor if statements.
* SSL: Added unsupported cipher version check for OpenSSLSteve Holme2013-10-161-0/+10
| | | | | | ...with the use of CURL_SSLVERSION_TLSv1_1 and CURL_SSLVERSION_TLSv1_2 being conditional on OpenSSL v1.0.1 as the appropriate flags are not supported under earlier versions.
* SSL: Corrected typo from commit 87861c9b0e8155Steve Holme2013-10-161-1/+1
|
* SSL: Fixed OpenSSL builds prior to v1.0.1Steve Holme2013-10-161-0/+8
| | | | | | Commit ad34a2d5c87c7f relies on definitions that are only present in OpenSSL v1.0.1 and up. This quick fix allows the builds that use older versions of OpenSSL to continue building.
* SSL: protocol version can be specified more preciselyGergely Nagy2013-10-151-14/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version (CURL_SSLVERSION_TLSv1 means TLS 1.x). axTLS: axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one of these should be used, so we don't allow the new enum values. darwinssl: Added support for the new enum values. SChannel: Added support for the new enum values. CyaSSL: Added support for the new enum values. Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it did the same before this commit), because CyaSSL cannot be configured to use TLS 1.0-1.2. GSKit: GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow those values. Bugfix: There was a typo that caused wrong SSL versions to be passed to GSKit. NSS: TLS minor version cannot be set, so we don't allow the new enum values. QsoSSL: TLS minor version cannot be set, so we don't allow the new enum values. OpenSSL: Added support for the new enum values. Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, now it enables 1.0-1.2. Command-line tool: Added command line options for the new values.
* OpenSSL: improve the grammar of the language in 39beaa5ffbccDaniel Stenberg2013-10-131-2/+2
| | | | Reported-by: Petr Pisar
* OpenSSL: use failf() when subjectAltName mismatchesAndrej E Baranov2013-10-131-0/+2
| | | | | | | Write to CURLOPT_ERRORBUFFER information about mismatch alternative certificate subject names. Signed-off-by: Andrej E Baranov <admin@andrej-andb.ru>
* OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEERDaniel Stenberg2013-10-021-1/+1
| | | | | | | | | Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set should still verify that the host name fields in the server certificate is fine or return failure. Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html Reported-by: Ishan SinghLevett
* ssluse.c: Fixed compilation warnings when ENGINE not supportedSteve Holme2013-09-281-1/+1
| | | | | The function "ssl_ui_reader" was declared but never referenced The function "ssl_ui_writer" was declared but never referenced
* openssl: use correct port number in error messageDaniel Stenberg2013-09-211-1/+1
| | | | | | | | | | | In ossl_connect_step2() when the "Unknown SSL protocol error" occurs, it would output the local port number instead of the remote one which showed when doing SSL over a proxy (but with the correct remote host name). As libcurl only speaks SSL to the remote we know it is the remote port. Bug: http://curl.haxx.se/bug/view.cgi?id=1281 Reported-by: Gordon Marler
* Pass password to OpenSSL engine by user interfacePetr Písař2013-09-071-1/+56
| | | | | | | | | | Recent OpenSSL uses user interface abstraction to negotiate access to private keys in the cryprographical engines. An OpenSSL application is expected to implement the user interface. Otherwise a default one provided by OpenSSL (interactive standard I/O) will be used and the aplication will have no way how to pass a password to the engine. Longer-desc: http://curl.haxx.se/mail/lib-2013-08/0265.html
* ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSLPatrick Monnerat2013-07-151-86/+16
|
* ossl_recv: check for an OpenSSL error, don't assumeDaniel Stenberg2013-06-231-6/+12
| | | | | | | | | | | | | | | When we recently started to treat a zero return code from SSL_read() as an error we also got false positives - which primarily looks to be because the OpenSSL documentation is wrong and a zero return code is not at all an error case in many situations. Now ossl_recv() will check with ERR_get_error() to see if there is a stored error and only then consider it to be a true error if SSL_read() returned zero. Bug: http://curl.haxx.se/bug/view.cgi?id=1249 Reported-by: Nach M. S. Patch-by: Nach M. S.
* cert_stuff: avoid double free in the PKCS12 codeDaniel Stenberg2013-06-101-2/+13
| | | | | | | | | | | | | In the pkcs12 code, we get a list of x509 records returned from PKCS12_parse but when iterating over the list and passing each to SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from the "stack", which made them get freed twice (both in sk_X509_pop_free() and then later in SSL_CTX_free). This isn't really documented anywhere... Bug: http://curl.haxx.se/bug/view.cgi?id=1236 Reported-by: Nikaiw
* cert_stuff: remove code duplication in the pkcs12 logicDaniel Stenberg2013-06-101-24/+12
|
* ossl_recv: SSL_read() returning 0 is an error tooMike Giancola2013-05-221-1/+1
| | | | | SSL_read can return 0 for "not successful", according to the open SSL documentation: http://www.openssl.org/docs/ssl/SSL_read.html
* ossl_send: SSL_write() returning 0 is an error tooMike Giancola2013-05-221-1/+1
| | | | | | | | | | | | | | | | | | | | We found that in specific cases if the connection is abruptly closed, the underlying socket is listed in a close_wait state. We continue to call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs report the socket closed / connection finished. Since we have cases where the multi connection is only used once, this can pose a problem for us. I've read that if another connection was to come in, curl would see the socket as bad and attempt to close it at that time - unfortunately, this does not work for us. I found that in specific situations, if SSL_write returns 0, curl did not recognize the socket as closed (or errored out) and did not report it to the application. I believe we need to change the code slightly, to check if ssl_write returns 0. If so, treat it as an error - the same as a negative return code. For OpenSSL - the ssl_write documentation is here: http://www.openssl.org/docs/ssl/SSL_write.html
* servercert: allow empty subjectDaniel Stenberg2013-05-071-8/+1
| | | | | Bug: http://curl.haxx.se/bug/view.cgi?id=1220 Patch by: John Gardiner Myers
* ossl_seed: avoid recursive seeding!Daniel Stenberg2013-02-221-4/+2
|
* ossl_seed: fix the last resort PRNG seedingDaniel Stenberg2013-02-141-19/+6
| | | | | Instead of just abusing the pseudo-randomizer from Curl_FormBoundary(), this now uses Curl_ossl_random() to get entropy.
* always-multi: always use non-blocking internalsDaniel Stenberg2013-01-171-11/+1
| | | | | | | | | | Remove internal separated behavior of the easy vs multi intercace. curl_easy_perform() is now using the multi interface itself. Several minor multi interface quirks and bugs have been fixed in the process. Much help with debugging this has been provided by: Yang Tse
* build: fix circular header inclusion with other packagesYang Tse2013-01-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
* Revert changes relative to lib/*.[ch] recent renamingYang Tse2013-01-061-0/+2736
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
* build: rename 93 lib/*.c filesYang Tse2013-01-031-2736/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 93 lib/*.c source files renamed to use our standard naming scheme. This commit only does the file renaming. ---------------------------------------- renamed: lib/amigaos.c -> lib/curl_amigaos.c renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c renamed: lib/axtls.c -> lib/curl_axtls.c renamed: lib/base64.c -> lib/curl_base64.c renamed: lib/bundles.c -> lib/curl_bundles.c renamed: lib/conncache.c -> lib/curl_conncache.c renamed: lib/connect.c -> lib/curl_connect.c renamed: lib/content_encoding.c -> lib/curl_content_encoding.c renamed: lib/cookie.c -> lib/curl_cookie.c renamed: lib/cyassl.c -> lib/curl_cyassl.c renamed: lib/dict.c -> lib/curl_dict.c renamed: lib/easy.c -> lib/curl_easy.c renamed: lib/escape.c -> lib/curl_escape.c renamed: lib/file.c -> lib/curl_file.c renamed: lib/fileinfo.c -> lib/curl_fileinfo.c renamed: lib/formdata.c -> lib/curl_formdata.c renamed: lib/ftp.c -> lib/curl_ftp.c renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c renamed: lib/getenv.c -> lib/curl_getenv.c renamed: lib/getinfo.c -> lib/curl_getinfo.c renamed: lib/gopher.c -> lib/curl_gopher.c renamed: lib/gtls.c -> lib/curl_gtls.c renamed: lib/hash.c -> lib/curl_hash.c renamed: lib/hmac.c -> lib/curl_hmac.c renamed: lib/hostasyn.c -> lib/curl_hostasyn.c renamed: lib/hostcheck.c -> lib/curl_hostcheck.c renamed: lib/hostip.c -> lib/curl_hostip.c renamed: lib/hostip4.c -> lib/curl_hostip4.c renamed: lib/hostip6.c -> lib/curl_hostip6.c renamed: lib/hostsyn.c -> lib/curl_hostsyn.c renamed: lib/http.c -> lib/curl_http.c renamed: lib/http_chunks.c -> lib/curl_http_chunks.c renamed: lib/http_digest.c -> lib/curl_http_digest.c renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c renamed: lib/http_proxy.c -> lib/curl_http_proxy.c renamed: lib/idn_win32.c -> lib/curl_idn_win32.c renamed: lib/if2ip.c -> lib/curl_if2ip.c renamed: lib/imap.c -> lib/curl_imap.c renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c renamed: lib/inet_pton.c -> lib/curl_inet_pton.c renamed: lib/krb4.c -> lib/curl_krb4.c renamed: lib/krb5.c -> lib/curl_krb5.c renamed: lib/ldap.c -> lib/curl_ldap.c renamed: lib/llist.c -> lib/curl_llist.c renamed: lib/md4.c -> lib/curl_md4.c renamed: lib/md5.c -> lib/curl_md5.c renamed: lib/memdebug.c -> lib/curl_memdebug.c renamed: lib/mprintf.c -> lib/curl_mprintf.c renamed: lib/multi.c -> lib/curl_multi.c renamed: lib/netrc.c -> lib/curl_netrc.c renamed: lib/non-ascii.c -> lib/curl_non_ascii.c renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h renamed: lib/nonblock.c -> lib/curl_nonblock.c renamed: lib/nss.c -> lib/curl_nss.c renamed: lib/nwlib.c -> lib/curl_nwlib.c renamed: lib/nwos.c -> lib/curl_nwos.c renamed: lib/openldap.c -> lib/curl_openldap.c renamed: lib/parsedate.c -> lib/curl_parsedate.c renamed: lib/pingpong.c -> lib/curl_pingpong.c renamed: lib/polarssl.c -> lib/curl_polarssl.c renamed: lib/pop3.c -> lib/curl_pop3.c renamed: lib/progress.c -> lib/curl_progress.c renamed: lib/qssl.c -> lib/curl_qssl.c renamed: lib/rawstr.c -> lib/curl_rawstr.c renamed: lib/rtsp.c -> lib/curl_rtsp.c renamed: lib/security.c -> lib/curl_security.c renamed: lib/select.c -> lib/curl_select.c renamed: lib/sendf.c -> lib/curl_sendf.c renamed: lib/share.c -> lib/curl_share.c renamed: lib/slist.c -> lib/curl_slist.c renamed: lib/smtp.c -> lib/curl_smtp.c renamed: lib/socks.c -> lib/curl_socks.c renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c renamed: lib/speedcheck.c -> lib/curl_speedcheck.c renamed: lib/splay.c -> lib/curl_splay.c renamed: lib/ssh.c -> lib/curl_ssh.c renamed: lib/sslgen.c -> lib/curl_sslgen.c renamed: lib/ssluse.c -> lib/curl_ssluse.c renamed: lib/strdup.c -> lib/curl_strdup.c renamed: lib/strequal.c -> lib/curl_strequal.c renamed: lib/strerror.c -> lib/curl_strerror.c renamed: lib/strtok.c -> lib/curl_strtok.c renamed: lib/strtoofft.c -> lib/curl_strtoofft.c renamed: lib/telnet.c -> lib/curl_telnet.c renamed: lib/tftp.c -> lib/curl_tftp.c renamed: lib/timeval.c -> lib/curl_timeval.c renamed: lib/transfer.c -> lib/curl_transfer.c renamed: lib/url.c -> lib/curl_url.c renamed: lib/version.c -> lib/curl_version.c renamed: lib/warnless.c -> lib/curl_warnless.c renamed: lib/wildcard.c -> lib/curl_wildcard.c ----------------------------------------
* build: make use of 93 lib/*.c renamed filesYang Tse2013-01-031-3/+3
| | | | | | 93 *.c source files renamed to use our standard naming scheme. This change affects 77 files in libcurl's source tree.
* build: make use of 76 lib/*.h renamed filesYang Tse2012-12-281-16/+16
| | | | | | 76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
* setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>Yang Tse2012-12-141-3/+0
| | | | Inclusion of top two most included header files now done in setup_once.h
* OpenSSL: Disable SSL/TLS compressionCristian Rodríguez2012-11-131-0/+4
| | | | | It either causes increased memory usage or exposes users to the "CRIME attack" (CVE-2012-4929)
* SSL: Several SSL-backend related fixesOscar Koeroo2012-11-081-67/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
* OpenSSL/servercert: use correct buffer size, not size of pointerDaniel Stenberg2012-11-061-3/+3
| | | | Bug: http://curl.haxx.se/bug/view.cgi?id=3579286
* CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg2012-11-061-8/+3
| | | | | | | | | | | | | | | | | | | | | | After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
* ssluse.c: md5.h is required for Curl_ossl_md5sumMarc Hoersken2012-10-081-0/+1
|
* ssluse.c: fix compiler warning: conversion to 'int' from 'size_t'Yang Tse2012-06-271-1/+1
| | | | | | Reported by Tatsuhiro Tsujikawa http://curl.haxx.se/mail/lib-2012-06/0371.html
* ossl_seed: remove leftover RAND_screen checkDaniel Stenberg2012-06-261-6/+0
| | | | | | | | | | Before commit 2dded8fedba (dec 2010) there was logic that used RAND_screen() at times and now I remove the leftover #ifdef check for it. The seeding code that uses Curl_FormBoundary() in ossl_seed() is dubious to keep since it hardly increases randomness but I fear I'll break something if I remove it now...
* SSL cleanup: use crypto functions through the sslgen layerDaniel Stenberg2012-06-261-0/+20
| | | | | | curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose.
* Fix bad failf() and info() usageYang Tse2012-06-141-5/+5
| | | | | | | Calls to failf() are not supposed to provide trailing newline. Calls to infof() must provide trailing newline. Fixed 30 or so strings.
* OpenSSL: support longer certificate subject namesDaniel Stenberg2012-06-091-2/+2
| | | | | | | | Previously it would use a 256 byte buffer and thus cut off very long subject names. The limit is now upped to the receive buffer size, 16K. Bug: http://curl.haxx.se/bug/view.cgi?id=3533045 Reported by: Anthony G. Basile
* OpenSSL cert: provide more details when cert check failsGokhan Sengun2012-04-231-3/+13
| | | | | curl needs to be more chatty regarding certificate verification failure during SSL handshake
* OpenSSL: Made cert hostname check conform to RFC 6125Tatsuhiro Tsujikawa2012-04-011-27/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change replaces RFC 2818 based hostname check in OpenSSL build with RFC 6125 [1] based one. The hostname check in RFC 2818 is ambiguous and each project implements it in the their own way and they are slightly different. I check curl, gnutls, Firefox and Chrome and they are all different. I don't think there is a bug in current implementation of hostname check. But it is not as strict as the modern browsers do. Currently, curl allows multiple wildcard character '*' and it matches '.'. (as described in the comment in ssluse.c). Firefox implementation is also based on RFC 2818 but it only allows at most one wildcard character and it must be in the left-most label in the pattern and the wildcard must not be followed by any character in the label.[2] Chromium implementation is based on RFC 6125 as my patch does. Firefox and Chromium both require wildcard in the left-most label in the presented identifier. This patch is more strict than the current implementation, so there may be some cases where old curl works but new one does not. But at the same time I think it is good practice to follow the modern browsers do and follow the newer RFC. [1] http://tools.ietf.org/html/rfc6125#section-6.4.3 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483
* fix several compiler warningsYang Tse2012-03-221-7/+10
|
* fix some compiler warningsYang Tse2012-03-161-2/+3
|
* CURLOPT_SSL_OPTIONS: addedDaniel Stenberg2012-02-091-1/+4
| | | | | | | | | | | | | | | | | | Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
* OpenSSL: don't disable security work-aroundDaniel Stenberg2012-01-241-0/+11
| | | | | | | | | | | | | | | | OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
* OpenSSL: follow-up for commit a20daf90e3Yang Tse2012-01-191-2/+1
| | | | avoid checking preprocessor definition official value
* OpenSSL: fix PKCS#12 certificate parsing related memory leakJohannes Bauer2012-01-181-0/+6
| | | | | Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
* OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabledYang Tse2012-01-181-7/+21
| | | | | | | | | | | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
* OpenSSL: remove reference to openssl internal structPeter Sylvester2012-01-041-3/+4
| | | | | With this change, curl compiles with the new OPENSSL_NO_SSL_INTERN cflag. This flag might become the default in some distant future.
* OpenSSL: check for the SSLv2 function in configureDaniel Stenberg2011-12-061-0/+5
| | | | | | If no SSLv2 was detected in OpenSSL by configure, then we enforce the OPENSSL_NO_SSL2 define as it seems some people report it not being defined properly in the OpenSSL headers.