| #
5dd8f13b |
| 27-May-2024 |
Stefan Eissing |
gnutls: support CA caching
- similar to openssl, use a shared 'credentials' instance
among TLS connections with a plain configuration.
- different to openssl, a connection with a c
gnutls: support CA caching
- similar to openssl, use a shared 'credentials' instance
among TLS connections with a plain configuration.
- different to openssl, a connection with a client certificate
is not eligible to sharing.
- document CURLOPT_CA_CACHE_TIMEOUT in man page
Closes #13795
show more ...
|
| #
08872971 |
| 13-May-2024 |
Viktor Szakats |
lib/v*: tidy up types and casts
Also add a couple of negative checks.
Cherry-picked from #13489
Closes #13622
|
| #
80aa5195 |
| 01-Jun-2024 |
Daniel Stenberg |
wolfssl: support CA caching
As a bonus, add SSLSUPP_CA_CACHE to let TLS backends signal its support
for this so that *setopt() return error if there is no support.
Closes #13786
|
| #
4c46e277 |
| 16-May-2024 |
Juliusz Sosinowicz |
vquic-tls: use correct cert name check API for wolfSSL
wolfSSL_X509_check_host checks the peer name against the alt names and
the common name.
Fixes #13487
Closes #13680
|
| #
b06619d0 |
| 26-Apr-2024 |
Stefan Eissing |
tests: add SNI and peer name checks
- connect to DNS names with trailing dot
- connect to DNS names with double trailing dot
- rustls, always give `peer->hostname` and let it
f
tests: add SNI and peer name checks
- connect to DNS names with trailing dot
- connect to DNS names with double trailing dot
- rustls, always give `peer->hostname` and let it
figure out SNI itself
- add SNI tests for ip address and localhost
- document in code and TODO that QUIC with ngtcp2+wolfssl
does not do proper peer verification of the certificate
- mbedtls, skip tests with ip address verification as not
supported by the library
Closes #13486
show more ...
|
| #
49f83c30 |
| 11-Apr-2024 |
Viktor Szakats |
lib: merge `ENABLE_QUIC` C macro into `USE_HTTP3`
Before this patch `lib/curl_setup.h` defined these two macros right
next to each other, then the source code used them interchangeably.
lib: merge `ENABLE_QUIC` C macro into `USE_HTTP3`
Before this patch `lib/curl_setup.h` defined these two macros right
next to each other, then the source code used them interchangeably.
After this patch, `USE_HTTP3` guards all HTTP/3 / QUIC features.
(Like `USE_HTTP2` does for HTTP/2.) `ENABLE_QUIC` is no longer used.
This patch doesn't change the way HTTP/3 is enabled via autotools
or CMake. Builders who enabled HTTP/3 manually by defining both of
these macros via `CPPFLAGS` can now delete `-DENABLE_QUIC`.
Closes #13352
show more ...
|
| #
8cee4c92 |
| 10-Apr-2024 |
Stefan Eissing |
gnutls: lazy init the trust settings
- delay loading of trust anchors and CRLs after the ClientHello
has been sent off
- add tracing to IO operations
- on IO errors, return the
gnutls: lazy init the trust settings
- delay loading of trust anchors and CRLs after the ClientHello
has been sent off
- add tracing to IO operations
- on IO errors, return the CURLcode of the underlying filter
Closes #13339
show more ...
|
| #
32101010 |
| 22-Mar-2024 |
Stefan Eissing |
tls: use shared init code for TCP+QUIC
Closes #13172
|
| #
181f5f33 |
| 13-Mar-2024 |
Jay Satiro |
vquic-tls: fix the error code returned for bad CA file
- Return CURLE_SSL_CACERT_BADFILE if wolfSSL encounters a problem
reading the cert file or path.
This is a follow-up to
vquic-tls: fix the error code returned for bad CA file
- Return CURLE_SSL_CACERT_BADFILE if wolfSSL encounters a problem
reading the cert file or path.
This is a follow-up to the parent commit aedbbdf1.
Reported-by: Karthikdasari0423@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/13115
show more ...
|
| #
aedbbdf1 |
| 11-Mar-2024 |
Daniel Stenberg |
vquic-tls: return appropirate errors on wolfSSL errors
Reported-by: Dexter Gerig
Closes #13107
|
| #
0535f6ec |
| 18-Jan-2024 |
Stefan Eissing |
http3: initial support for OpenSSL 3.2 QUIC stack
- HTTP/3 for curl using OpenSSL's own QUIC stack together
with nghttp3
- configure with `--with-openssl-quic` to enable curl to
http3: initial support for OpenSSL 3.2 QUIC stack
- HTTP/3 for curl using OpenSSL's own QUIC stack together
with nghttp3
- configure with `--with-openssl-quic` to enable curl to
build this. This requires the nghttp3 library
- implementation with the following restrictions:
* macOS has to use an unconnected UDP socket due to an
issue in OpenSSL's datagram implementation
See https://github.com/openssl/openssl/issues/23251
This makes connections to non-reponsive servers hang.
* GET requests will send the indicator that they have
no body in a separate QUIC packet. This may result
in processing delays or Transfer-Encodings on proxied
requests
* uploads that encounter blocks will use 100% cpu as
detection of these flow control issue is not working
(we have not figured out to pry that from OpenSSL).
Closes #12734
show more ...
|
| #
5d044ad9 |
| 09-Jan-2024 |
Stefan Eissing |
vquic: extract TLS setup into own source
- separate ngtcp2 specific parts out
- provide callback during init to allow ngtcp2 to apply its defaults
Closes #12678
|
