#
57cc5233 |
| 26-Sep-2024 |
Dan Fandrich |
tests: enable additional ruff Python lint options These all seem reasonable to enable for this code.
|
#
0f7ba5c5 |
| 26-Sep-2024 |
Dan Fandrich |
tests: change Python code style to pass ruff checks Most of the changes consisted of removing unused imports and unnecessary f-strings.
|
#
d83b528a |
| 10-Sep-2024 |
Viktor Szakats |
tidy-up: spelling C89, Schannel, Secure Transport, contractions. Cherry-picked from #14692 Closes #14996
|
#
0cbfce80 |
| 20-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
tests: add test_17_09_ssl_min_max Test setting all combinations of --tlsv1.x and --tls-max. Closes #14590
|
#
3ca38f9a |
| 20-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
tests: improve test_17_07_ssl_ciphers Change TLS proto version on the test httpd server to test setting combinations of --tls13-ciphers and --ciphers. To not let the changed con
tests: improve test_17_07_ssl_ciphers Change TLS proto version on the test httpd server to test setting combinations of --tls13-ciphers and --ciphers. To not let the changed config of the httpd server bleed into the next test, clean and reload on each test. Because a reload is slow, only do this if the config is different than the loaded config. For this the httpd.reload_if_config_changed() method is added. Overloading of autouse fixtures does not seem to work. For the test httpd server to be reloaded with a clean config in test_18_methods, to not be affected by the config changes in test_17_ssl_use, the two class scope fixtures of test_18_methods are now combined. Closes #14589
show more ...
|
#
c5cb8e7c |
| 19-Aug-2024 |
Viktor Szakats |
tidy-up: spelling quiche and Rustls Closes #14605
|
#
1e03d4bc |
| 13-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
rustls: add support for setting TLS version and ciphers Add support for CURLOPT_SSLVERSION, CURLOPT_TLS13_CIPHERS and CURLOPT_SSL_CIPHER_LIST. Closes #14535
|
#
68dad8c4 |
| 12-Aug-2024 |
Stefan Eissing |
test httpd, tweak cipher list Configure the AES 256 instead of the AES 128 cipher in the test httpd to make scorecard testing between httpd and caddy more comparable. Adapt test
test httpd, tweak cipher list Configure the AES 256 instead of the AES 128 cipher in the test httpd to make scorecard testing between httpd and caddy more comparable. Adapt test_17 expectations, now that AES 128 can no longer, but 256 can now be negotiated. Closes #14502
show more ...
|
#
902d9a1d |
| 09-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
wolfssl: fix CURLOPT_SSLVERSION Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls proto to just the specified version. Now it properly supports a range. So it ca
wolfssl: fix CURLOPT_SSLVERSION Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls proto to just the specified version. Now it properly supports a range. So it can set the min and max tls proto (max requires wolfSSL 4.2.0). Bump the absolute minimum required version of wolfSSL to 3.4.6 (released 2015) because it is needed for the wolfSSL_CTX_SetMinVersion() function. Closes #14480
show more ...
|
#
4c128924 |
| 04-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
wolfssl: add CURLOPT_TLS13_CIPHERS support Bring setting ciphers with WolfSSL in line with other SSL backends, to make the curl interface more consistent across the backends. No
wolfssl: add CURLOPT_TLS13_CIPHERS support Bring setting ciphers with WolfSSL in line with other SSL backends, to make the curl interface more consistent across the backends. Now the tls1.3 ciphers are set with the --tls13-ciphers option, when not set the default tls1.3 ciphers are used. The tls1.2 (1.1, 1.0) ciphers are set with the --ciphers option, when not set the default tls1.2 ciphers are used. The ciphers available for the connection are now a union of the tls1.3 and tls1.2 ciphers. This changes the behaviour for WolfSSL when --ciphers is set, but --tls13-ciphers is not set. Now the ciphers set with --ciphers are combined with the default tls1.3 ciphers, whereas before solely the ciphers of --ciphers were used. Thus before when no tls1.3 ciphers were specified in --ciphers, tls1.3 was completely disabled. This might not be what the user expected, especially as this does not happen with OpenSSL. Closes #14385
show more ...
|
#
3f7dc8a4 |
| 04-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
mbedtls: add CURLOPT_TLS13_CIPHERS support Bring setting ciphers with mbedTLS in line with other SSL backends, to make the curl interface more consistent across the backends. No
mbedtls: add CURLOPT_TLS13_CIPHERS support Bring setting ciphers with mbedTLS in line with other SSL backends, to make the curl interface more consistent across the backends. Now the tls1.3 ciphers are set with the --tls13-ciphers option, when not set the default tls1.3 ciphers are used. The tls1.2 (1.1, 1.0) ciphers are set with the --ciphers option, when not set the default tls1.2 ciphers are used. The ciphers available for the connection are now a union of the tls1.3 and tls1.2 ciphers. This changes the behaviour for mbedTLS when --ciphers is set, but --tls13-ciphers is not set. Now the ciphers set with --ciphers are combined with the default tls1.3 ciphers, whereas before solely the ciphers of --ciphers were used. Thus before when no tls1.3 ciphers were specified in --ciphers, tls1.3 was completely disabled. This might not be what the user expected, especially as this does not happen with OpenSSL. Closes #14384
show more ...
|
#
eec908bb |
| 04-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
revert "tests/http: configure test httpd to honor client cipher order" revert f6cb3c63 #14338 Setting SSLHonorCipherOrder to on means it honors the server cipher order. From the
revert "tests/http: configure test httpd to honor client cipher order" revert f6cb3c63 #14338 Setting SSLHonorCipherOrder to on means it honors the server cipher order. From the documentation: "When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead." Also the commit inhibits test_17_07_ssl_ciphers. The test tries to tests if all the ciphers specified, and only those, are properly set in curl. For that to work we need have cases where some or all ciphers do no intersect with the cipher-set of the server. We need to be able to assert a failed connection based on a cipher set mismatch. That is why a restricted set of ciphers is used on the server. This set is so chosen that it contains the well known most secure ciphers. Except with the slower aes256 variant intentionally left out, to be able to test above described. As test_17_07_ssl_ciphers is currently the only test that tests the functioning of the --ciphers and --tls13-ciphers options, it is important that its coverage is as good as possible. Closes #14381
show more ...
|
#
f6cb3c63 |
| 01-Aug-2024 |
Stefan Eissing |
tests/http: configure test httpd to honor client cipher order Let the client, e.g. curl, influence the cipher selected in a TLS handshake. TLS backends have different preferences and hon
tests/http: configure test httpd to honor client cipher order Let the client, e.g. curl, influence the cipher selected in a TLS handshake. TLS backends have different preferences and honor that in httpd the same as Caddy does. Also makes for a more fair compare of different TLS backends. Closes #14338
show more ...
|
#
6343034d |
| 12-Jul-2024 |
Viktor Szakats |
tidy-up: adjust casing of project names Mostly TLS/SSH project name. Closes #14160
|
#
185a05e9 |
| 28-Jun-2024 |
Stefan Eissing |
ngtcp2+quictls: fix cert-status use - add test for --cert-status on all http versions Reported-by: Dexter Gerig Fixes #14049 Closes #14050
|
#
6b93190f |
| 14-Jun-2024 |
Daniel Stenberg |
gnutls: pass in SNI name, not hostname when checking cert The function we use is called 'gnutls_x509_crt_check_hostname()' but if we pass in the hostname with a trailing dot, the check f
gnutls: pass in SNI name, not hostname when checking cert The function we use is called 'gnutls_x509_crt_check_hostname()' but if we pass in the hostname with a trailing dot, the check fails. If we pass in the SNI name, which cannot have a trailing dot, it succeeds for https://pyropus.ca./ I consider this as a flaw in GnuTLS and have submitted this issue upstream: https://gitlab.com/gnutls/gnutls/-/issues/1548 In order to work with old and existing GnuTLS versions, we still need this change no matter how they view the issue or might change it in the future. Fixes #13428 Reported-by: Ryan Carsten Schmidt Closes #13949
show more ...
|
#
5f9017d4 |
| 31-May-2024 |
Stefan Eissing |
mbedtls: v3.6.0 workarounds - add special sauce to disable unwanted peer verification by mbedtls when negotiating TLS v1.3 - add special sauce for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESS
mbedtls: v3.6.0 workarounds - add special sauce to disable unwanted peer verification by mbedtls when negotiating TLS v1.3 - add special sauce for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code on *writing* TLS data. We assume the data had not been written and EAGAIN. - return correct Curl error code when peer verification failed. - disable test_08_05 with 50 HTTP/1.1 connections, as mbedtls reports a memory allocation failed during handshake. - bump CI mbedtls version to 3.6.0 Fixes #13653 Closes #13838
show more ...
|
#
74e0bb1e |
| 25-May-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
tests: add pytest for --ciphers and --tls13-ciphers options Closes #13530
|
#
27ae00d2 |
| 25-May-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
tests: test_17_ssl_use.py clarify mbedtls TLSv1.3 support Closes #13779
|
#
4eb4d660 |
| 14-May-2024 |
Viktor Szakats |
tidy-up: whitespace [ci skip]
|
#
1ea7dce0 |
| 08-Feb-2024 |
Michał Antoniak <47522782+MAntoniak@users.noreply.github.com> |
mbedtls: support TLS 1.3 Closes #13539
|
#
b06619d0 |
| 26-Apr-2024 |
Stefan Eissing |
tests: add SNI and peer name checks - connect to DNS names with trailing dot - connect to DNS names with double trailing dot - rustls, always give `peer->hostname` and let it f
tests: add SNI and peer name checks - connect to DNS names with trailing dot - connect to DNS names with double trailing dot - rustls, always give `peer->hostname` and let it figure out SNI itself - add SNI tests for ip address and localhost - document in code and TODO that QUIC with ngtcp2+wolfssl does not do proper peer verification of the certificate - mbedtls, skip tests with ip address verification as not supported by the library Closes #13486
show more ...
|
#
fb22459d |
| 26-Apr-2024 |
Stefan Eissing |
vtls: TLS session storage overhaul - add session with destructor callback - remove vtls `session_free` method - let `Curl_ssl_addsessionid()` take ownership of session object,
vtls: TLS session storage overhaul - add session with destructor callback - remove vtls `session_free` method - let `Curl_ssl_addsessionid()` take ownership of session object, freeing it also on failures - change tls backend use - test_17, add tests for SSL session resumption Closes #13386
show more ...
|