#
472f1cbe |
| 01-Sep-2022 |
Daniel Stenberg |
NPN: remove support for and use of Next Protocol Negotiation is a TLS extension that was created and used for agreeing to use the SPDY protocol (the precursor to HTTP/2) for HTTPS. I
NPN: remove support for and use of Next Protocol Negotiation is a TLS extension that was created and used for agreeing to use the SPDY protocol (the precursor to HTTP/2) for HTTPS. In the early days of HTTP/2, before the spec was finalized and shipped, the protocol could be enabled using this extension with some servers. curl supports the NPN extension with some TLS backends since then, with a command line option `--npn` and in libcurl with `CURLOPT_SSL_ENABLE_NPN`. HTTP/2 proper is made to use the ALPN (Application-Layer Protocol Negotiation) extension and the NPN extension has no purposes anymore. The HTTP/2 spec was published in May 2015. Today, use of NPN in the wild should be extremely rare and most likely totally extinct. Chrome removed NPN support in Chrome 51, shipped in June 2016. Removed in Firefox 53, April 2017. Closes #9307
show more ...
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
34ebf3f9 |
| 31-Mar-2022 |
Daniel Stenberg |
vtls: use a generic "ALPN, server accepted" message Closes #8657
|
#
55043b40 |
| 31-Mar-2022 |
Daniel Stenberg |
vtls: use a backend standard message for "ALPN: offers %s" I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the infof() call also needs a string argument: the ALPN ID.
vtls: use a backend standard message for "ALPN: offers %s" I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the infof() call also needs a string argument: the ALPN ID. Closes #8657
show more ...
|
#
3bc5b32d |
| 30-Mar-2022 |
Daniel Stenberg |
vtls: provide a unified APLN-disagree string for all backends Also rephrase to make it sound less dangerous: "ALPN: server did not agree on a protocol. Uses default." Repo
vtls: provide a unified APLN-disagree string for all backends Also rephrase to make it sound less dangerous: "ALPN: server did not agree on a protocol. Uses default." Reported-by: Nick Coghlan Fixes #8643 Closes #8651
show more ...
|
#
ccc2752c |
| 17-Feb-2022 |
MAntoniak <47522782+MAntoniak@users.noreply.github.com> |
ssl: reduce allocated space for ssl backend when FTP is disabled Add assert() for the backend pointer in many places Closes #8471
|
#
2218c3a5 |
| 22-Jan-2022 |
Daniel Stenberg |
vtls: pass on the right SNI name The TLS backends convert the host name to SNI name and need to use that. This involves cutting off any trailing dot and lowercasing. Co-authored
vtls: pass on the right SNI name The TLS backends convert the host name to SNI name and need to use that. This involves cutting off any trailing dot and lowercasing. Co-authored-by: Jay Satiro Closes #8320
show more ...
|
#
3be94d84 |
| 09-Jan-2022 |
Stephen M. Coakley |
rustls: add CURLOPT_CAINFO_BLOB support Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the rustls TLS backend. Multiple certificates in a single PEM string are
rustls: add CURLOPT_CAINFO_BLOB support Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the rustls TLS backend. Multiple certificates in a single PEM string are supported just like OpenSSL does with this option. This is compatible at least with rustls-ffi 0.8+ which is our new minimum version anyway. I was able to build and run this on Windows, pulling trusted certs from the system and then add them to rustls by setting `CURLOPT_CAINFO_BLOB`. Handy! Closes #8255
show more ...
|
#
21248e05 |
| 25-Dec-2021 |
Daniel Stenberg |
checksrc: detect more kinds of NULL comparisons we avoid Co-authored-by: Jay Satiro Closes #8180
|
#
3f8fde36 |
| 19-Nov-2021 |
Jacob Hoffman-Andrews |
rustls: remove comment about checking handshaking The comment is incorrect in two ways: - It says the check needs to be last, but the check is actually first. - is_handshaking actu
rustls: remove comment about checking handshaking The comment is incorrect in two ways: - It says the check needs to be last, but the check is actually first. - is_handshaking actually starts out true. Closes #8038
show more ...
|
#
00f4ed2a |
| 13-Nov-2021 |
Jacob Hoffman-Andrews |
rustls: read of zero bytes might be okay When we're reading out plaintext from rustls' internal buffers, we might get a read of zero bytes (meaning a clean TCP close, including close
rustls: read of zero bytes might be okay When we're reading out plaintext from rustls' internal buffers, we might get a read of zero bytes (meaning a clean TCP close, including close_notify). However, we shouldn't return immediately when that happens, since we may have already copied out some plaintext bytes. Break out of the loop when we get a read of zero bytes, and figure out which path we're dealing with. Acked-by: Kevin Burke Closes #8003
show more ...
|
#
be8d77b1 |
| 13-Nov-2021 |
Jacob Hoffman-Andrews |
rustls: remove incorrect EOF check The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify. From the CHANGELOG: > Handling of unclean close and the close_notify
rustls: remove incorrect EOF check The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify. From the CHANGELOG: > Handling of unclean close and the close_notify TLS alert. Mirroring > upstream changes, a rustls_connection now tracks TCP closed state like > so: rustls_connection_read_tls considers a 0-length read from its > callback to mean "TCP stream was closed by peer." If that happens > before the peer sent close_notify, rustls_connection_read will return > RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are > exhausted. This is useful to protect against truncation attacks. Note: > some TLS implementations don't send close_notify. If you are already > getting length information from your protocol (e.g. Content-Length in > HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of > plaintext bytes was as expected. That means we don't need to check for unclean EOF in `cr_recv()`, because `process_new_packets()` will give us an error if appropriate. Closes #8003
show more ...
|
#
76d9e07c |
| 04-Nov-2021 |
Daniel Stenberg |
vtls/rustls: adapt to the updated rustls_version proto Closes #7956
|
#
1fef5922 |
| 03-Nov-2021 |
Kevin Burke |
vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY Previously we'd return CURLE_READ_ERROR if we received this, instead of triggering the error handling logic that's present in the next i
vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY Previously we'd return CURLE_READ_ERROR if we received this, instead of triggering the error handling logic that's present in the next if block down. After this change, curl requests to https://go.googlesource.com using HTTP/2 complete successfully. Fixes #7949 Closes #7948
show more ...
|
#
b7757c2b |
| 03-Nov-2021 |
Kevin Burke |
vtls/rustls: update to compile with rustls-ffi v0.8.0 Some method names, as well as the generated library name, were changed in a recent refactoring. Further, change the default
vtls/rustls: update to compile with rustls-ffi v0.8.0 Some method names, as well as the generated library name, were changed in a recent refactoring. Further, change the default configuration instructions to check for Hyper in either "target/debug" or "target/release" - the latter contains an optimized build configuration. Fixes #7947 Closes #7948
show more ...
|
#
0cc8fc88 |
| 10-Sep-2021 |
Daniel Stenberg |
rustls: add strerror.h include Follow-up to 2f0bb864c12
|
#
2f0bb864 |
| 08-Sep-2021 |
Daniel Stenberg |
lib: don't use strerror() We have and provide Curl_strerror() internally for a reason: strerror() is not necessarily thread-safe so we should always try to avoid it. Extended ch
lib: don't use strerror() We have and provide Curl_strerror() internally for a reason: strerror() is not necessarily thread-safe so we should always try to avoid it. Extended checksrc to warn for this, but feature the check disabled by default and only enable it in lib/ Closes #7685
show more ...
|
#
e7416cfd |
| 06-Jul-2021 |
Daniel Stenberg |
infof: remove newline from format strings, always append it - the data needs to be "line-based" anyway since it's also passed to the debug callback/application - it makes info
infof: remove newline from format strings, always append it - the data needs to be "line-based" anyway since it's also passed to the debug callback/application - it makes infof() work like failf() and consistency is good - there's an assert that triggers on newlines in the format string - Also removes a few instances of "..." - Removes the code that would append "..." to the end of the data *iff* it was truncated in infof() Closes #7357
show more ...
|
#
8fa0a298 |
| 14-Jun-2021 |
Jacob Hoffman-Andrews |
rustls: remove native_roots fallback For the commandline tool, we expect to be passed SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of trusted roots (like in ot
rustls: remove native_roots fallback For the commandline tool, we expect to be passed SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of trusted roots (like in other TLS backends). This also removes a dependency on Security.framework when building on macOS. Closes #7250
show more ...
|
#
a62e6435 |
| 15-May-2021 |
Jacob Hoffman-Andrews |
rustls: switch read_tls and write_tls to callbacks And update to 0.6.0, including a rename from session to connection for many fields. Closes #7071
|
#
7f4a9a9b |
| 05-May-2021 |
Harry Sintonen |
openssl: associate/detach the transfer from connection CVE-2021-22901 Bug: https://curl.se/docs/CVE-2021-22901.html
|
#
8228002c |
| 25-Apr-2021 |
Jacob Hoffman-Andrews |
rustls: use ALPN Update required rustls to 0.5.0 Closes #6960
|
#
063d3f3b |
| 19-Apr-2021 |
Daniel Stenberg |
tidy-up: make conditional checks more consistent ... remove '== NULL' and '!= 0' Closes #6912
|
#
40d2d39f |
| 14-Apr-2021 |
Javier Blazquez |
rustls: only return CURLE_AGAIN when TLS session is fully drained The code in cr_recv was returning prematurely as soon as the socket reported no more data to read. However, this could b
rustls: only return CURLE_AGAIN when TLS session is fully drained The code in cr_recv was returning prematurely as soon as the socket reported no more data to read. However, this could be leaving some unread plaintext data in the rustls session from a previous call, causing causing the transfer to hang if the socket never receives further data. We need to ensure that the session is fully drained of plaintext data before returning CURLE_AGAIN to the caller. Reviewed-by: Jacob Hoffman-Andrews Closes #6894
show more ...
|
Revision tags: curl-7_76_1, curl-7_76_0 |
|
#
7488ef29 |
| 18-Mar-2021 |
Jacob Hoffman-Andrews |
rustls: Handle close_notify. If we get a close_notify, treat that as EOF. If we get an EOF from the TCP stream, treat that as an error (because we should have ended the connection ea
rustls: Handle close_notify. If we get a close_notify, treat that as EOF. If we get an EOF from the TCP stream, treat that as an error (because we should have ended the connection earlier, when we got a close_notify). Closes #6763
show more ...
|