| #
472f1cbe |
| 01-Sep-2022 |
Daniel Stenberg |
NPN: remove support for and use of
Next Protocol Negotiation is a TLS extension that was created and used
for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
HTTPS. I
NPN: remove support for and use of
Next Protocol Negotiation is a TLS extension that was created and used
for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
HTTPS. In the early days of HTTP/2, before the spec was finalized and
shipped, the protocol could be enabled using this extension with some
servers.
curl supports the NPN extension with some TLS backends since then, with
a command line option `--npn` and in libcurl with
`CURLOPT_SSL_ENABLE_NPN`.
HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
Negotiation) extension and the NPN extension has no purposes
anymore. The HTTP/2 spec was published in May 2015.
Today, use of NPN in the wild should be extremely rare and most likely
totally extinct. Chrome removed NPN support in Chrome 51, shipped in
June 2016. Removed in Firefox 53, April 2017.
Closes #9307
show more ...
|
| #
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes #8869
show more ...
|
| #
34ebf3f9 |
| 31-Mar-2022 |
Daniel Stenberg |
vtls: use a generic "ALPN, server accepted" message
Closes #8657
|
| #
55043b40 |
| 31-Mar-2022 |
Daniel Stenberg |
vtls: use a backend standard message for "ALPN: offers %s"
I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the
infof() call also needs a string argument: the ALPN ID.
vtls: use a backend standard message for "ALPN: offers %s"
I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the
infof() call also needs a string argument: the ALPN ID.
Closes #8657
show more ...
|
| #
3bc5b32d |
| 30-Mar-2022 |
Daniel Stenberg |
vtls: provide a unified APLN-disagree string for all backends
Also rephrase to make it sound less dangerous:
"ALPN: server did not agree on a protocol. Uses default."
Repo
vtls: provide a unified APLN-disagree string for all backends
Also rephrase to make it sound less dangerous:
"ALPN: server did not agree on a protocol. Uses default."
Reported-by: Nick Coghlan
Fixes #8643
Closes #8651
show more ...
|
| #
ccc2752c |
| 17-Feb-2022 |
MAntoniak <47522782+MAntoniak@users.noreply.github.com> |
ssl: reduce allocated space for ssl backend when FTP is disabled
Add assert() for the backend pointer in many places
Closes #8471
|
| #
2218c3a5 |
| 22-Jan-2022 |
Daniel Stenberg |
vtls: pass on the right SNI name
The TLS backends convert the host name to SNI name and need to use that.
This involves cutting off any trailing dot and lowercasing.
Co-authored
vtls: pass on the right SNI name
The TLS backends convert the host name to SNI name and need to use that.
This involves cutting off any trailing dot and lowercasing.
Co-authored-by: Jay Satiro
Closes #8320
show more ...
|
| #
3be94d84 |
| 09-Jan-2022 |
Stephen M. Coakley |
rustls: add CURLOPT_CAINFO_BLOB support
Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the
rustls TLS backend. Multiple certificates in a single PEM string are
rustls: add CURLOPT_CAINFO_BLOB support
Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the
rustls TLS backend. Multiple certificates in a single PEM string are
supported just like OpenSSL does with this option.
This is compatible at least with rustls-ffi 0.8+ which is our new
minimum version anyway.
I was able to build and run this on Windows, pulling trusted certs from
the system and then add them to rustls by setting
`CURLOPT_CAINFO_BLOB`. Handy!
Closes #8255
show more ...
|
| #
21248e05 |
| 25-Dec-2021 |
Daniel Stenberg |
checksrc: detect more kinds of NULL comparisons we avoid
Co-authored-by: Jay Satiro
Closes #8180
|
| #
3f8fde36 |
| 19-Nov-2021 |
Jacob Hoffman-Andrews |
rustls: remove comment about checking handshaking
The comment is incorrect in two ways:
- It says the check needs to be last, but the check is actually first.
- is_handshaking actu
rustls: remove comment about checking handshaking
The comment is incorrect in two ways:
- It says the check needs to be last, but the check is actually first.
- is_handshaking actually starts out true.
Closes #8038
show more ...
|
| #
00f4ed2a |
| 13-Nov-2021 |
Jacob Hoffman-Andrews |
rustls: read of zero bytes might be okay
When we're reading out plaintext from rustls' internal buffers, we might
get a read of zero bytes (meaning a clean TCP close, including
close
rustls: read of zero bytes might be okay
When we're reading out plaintext from rustls' internal buffers, we might
get a read of zero bytes (meaning a clean TCP close, including
close_notify). However, we shouldn't return immediately when that
happens, since we may have already copied out some plaintext bytes.
Break out of the loop when we get a read of zero bytes, and figure out
which path we're dealing with.
Acked-by: Kevin Burke
Closes #8003
show more ...
|
| #
be8d77b1 |
| 13-Nov-2021 |
Jacob Hoffman-Andrews |
rustls: remove incorrect EOF check
The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify.
From the CHANGELOG:
> Handling of unclean close and the close_notify
rustls: remove incorrect EOF check
The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify.
From the CHANGELOG:
> Handling of unclean close and the close_notify TLS alert. Mirroring
> upstream changes, a rustls_connection now tracks TCP closed state like
> so: rustls_connection_read_tls considers a 0-length read from its
> callback to mean "TCP stream was closed by peer." If that happens
> before the peer sent close_notify, rustls_connection_read will return
> RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are
> exhausted. This is useful to protect against truncation attacks. Note:
> some TLS implementations don't send close_notify. If you are already
> getting length information from your protocol (e.g. Content-Length in
> HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of
> plaintext bytes was as expected.
That means we don't need to check for unclean EOF in `cr_recv()`,
because `process_new_packets()` will give us an error if appropriate.
Closes #8003
show more ...
|
| #
76d9e07c |
| 04-Nov-2021 |
Daniel Stenberg |
vtls/rustls: adapt to the updated rustls_version proto
Closes #7956
|
| #
1fef5922 |
| 03-Nov-2021 |
Kevin Burke |
vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY
Previously we'd return CURLE_READ_ERROR if we received this, instead
of triggering the error handling logic that's present in the next i
vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY
Previously we'd return CURLE_READ_ERROR if we received this, instead
of triggering the error handling logic that's present in the next if
block down.
After this change, curl requests to https://go.googlesource.com using
HTTP/2 complete successfully.
Fixes #7949
Closes #7948
show more ...
|
| #
b7757c2b |
| 03-Nov-2021 |
Kevin Burke |
vtls/rustls: update to compile with rustls-ffi v0.8.0
Some method names, as well as the generated library name, were changed
in a recent refactoring.
Further, change the default
vtls/rustls: update to compile with rustls-ffi v0.8.0
Some method names, as well as the generated library name, were changed
in a recent refactoring.
Further, change the default configuration instructions to check for
Hyper in either "target/debug" or "target/release" - the latter
contains an optimized build configuration.
Fixes #7947
Closes #7948
show more ...
|
| #
0cc8fc88 |
| 10-Sep-2021 |
Daniel Stenberg |
rustls: add strerror.h include
Follow-up to 2f0bb864c12
|
| #
2f0bb864 |
| 08-Sep-2021 |
Daniel Stenberg |
lib: don't use strerror()
We have and provide Curl_strerror() internally for a reason: strerror()
is not necessarily thread-safe so we should always try to avoid it.
Extended ch
lib: don't use strerror()
We have and provide Curl_strerror() internally for a reason: strerror()
is not necessarily thread-safe so we should always try to avoid it.
Extended checksrc to warn for this, but feature the check disabled by
default and only enable it in lib/
Closes #7685
show more ...
|
| #
e7416cfd |
| 06-Jul-2021 |
Daniel Stenberg |
infof: remove newline from format strings, always append it
- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application
- it makes info
infof: remove newline from format strings, always append it
- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application
- it makes infof() work like failf() and consistency is good
- there's an assert that triggers on newlines in the format string
- Also removes a few instances of "..."
- Removes the code that would append "..." to the end of the data *iff*
it was truncated in infof()
Closes #7357
show more ...
|
| #
8fa0a298 |
| 14-Jun-2021 |
Jacob Hoffman-Andrews |
rustls: remove native_roots fallback
For the commandline tool, we expect to be passed
SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
trusted roots (like in ot
rustls: remove native_roots fallback
For the commandline tool, we expect to be passed
SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
trusted roots (like in other TLS backends).
This also removes a dependency on Security.framework when building on
macOS.
Closes #7250
show more ...
|
| #
a62e6435 |
| 15-May-2021 |
Jacob Hoffman-Andrews |
rustls: switch read_tls and write_tls to callbacks
And update to 0.6.0, including a rename from session to connection for
many fields.
Closes #7071
|
| #
7f4a9a9b |
| 05-May-2021 |
Harry Sintonen |
openssl: associate/detach the transfer from connection
CVE-2021-22901
Bug: https://curl.se/docs/CVE-2021-22901.html
|
| #
8228002c |
| 25-Apr-2021 |
Jacob Hoffman-Andrews |
rustls: use ALPN
Update required rustls to 0.5.0
Closes #6960
|
| #
063d3f3b |
| 19-Apr-2021 |
Daniel Stenberg |
tidy-up: make conditional checks more consistent
... remove '== NULL' and '!= 0'
Closes #6912
|
| #
40d2d39f |
| 14-Apr-2021 |
Javier Blazquez |
rustls: only return CURLE_AGAIN when TLS session is fully drained
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could b
rustls: only return CURLE_AGAIN when TLS session is fully drained
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.
We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.
Reviewed-by: Jacob Hoffman-Andrews
Closes #6894
show more ...
|
|
Revision tags: curl-7_76_1, curl-7_76_0 |
|
| #
7488ef29 |
| 18-Mar-2021 |
Jacob Hoffman-Andrews |
rustls: Handle close_notify.
If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection ea
rustls: Handle close_notify.
If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection earlier, when we got a close_notify).
Closes #6763
show more ...
|
