#
c31041b1 |
| 07-Jun-2024 |
Stefan Eissing |
connection: shutdown TLS (for FTP) better This adds connection shutdown infrastructure and first use for FTP. FTP data connections, when not encountering an error, are now shut down in a
connection: shutdown TLS (for FTP) better This adds connection shutdown infrastructure and first use for FTP. FTP data connections, when not encountering an error, are now shut down in a blocking way with a 2sec timeout. - add cfilter `Curl_cft_shutdown` callback - keep a shutdown start timestamp and timeout at connectdata - provide shutdown timeout default and member in `data->set.shutdowntimeout`. - provide methods for starting, interrogating and clearing shutdown timers - provide `Curl_conn_shutdown_blocking()` to shutdown the `sockindex` filter chain in a blocking way. Use that in FTP. - add `Curl_conn_cf_poll()` to wait for socket events during shutdown of a connection filter chain. This gets the monitoring sockets and events via the filters "adjust_pollset()" methods. This gives correct behaviour when shutting down a TLS connection through a HTTP/2 proxy. - Implement shutdown for all socket filters - for HTTP/2 and h2 proxying to send GOAWAY - for TLS backends to the best of their capabilities - for tcp socket filter to make a final, nonblocking receive to avoid unwanted RST states - add shutdown forwarding to happy eyeballers and https connect ballers when applicable. Closes #13904
show more ...
|
#
5dd8f13b |
| 27-May-2024 |
Stefan Eissing |
gnutls: support CA caching - similar to openssl, use a shared 'credentials' instance among TLS connections with a plain configuration. - different to openssl, a connection with a c
gnutls: support CA caching - similar to openssl, use a shared 'credentials' instance among TLS connections with a plain configuration. - different to openssl, a connection with a client certificate is not eligible to sharing. - document CURLOPT_CA_CACHE_TIMEOUT in man page Closes #13795
show more ...
|
#
8cee4c92 |
| 10-Apr-2024 |
Stefan Eissing |
gnutls: lazy init the trust settings - delay loading of trust anchors and CRLs after the ClientHello has been sent off - add tracing to IO operations - on IO errors, return the
gnutls: lazy init the trust settings - delay loading of trust anchors and CRLs after the ClientHello has been sent off - add tracing to IO operations - on IO errors, return the CURLcode of the underlying filter Closes #13339
show more ...
|
#
32101010 |
| 22-Mar-2024 |
Stefan Eissing |
tls: use shared init code for TCP+QUIC Closes #13172
|
#
fa714830 |
| 17-Nov-2023 |
Stefan Eissing |
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Cu
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Curl_ssl_snihost()` and its use of the download buffer - use ssl_peer in SSL and QUIC filters Closes #12349
show more ...
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
27ec767e |
| 30-Nov-2022 |
Stefan Eissing |
gnutls: use common gnutls init and verify code for ngtcp2 Closes #10007
|
#
af22c2a5 |
| 22-Nov-2022 |
Stefan Eissing |
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct co
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
show more ...
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
a4d9876c |
| 29-Dec-2021 |
Daniel Stenberg |
gtls: add gnutls include for the session type Follow-up to 8fbd6feddfa5 to make it build more universally
|
#
8fbd6fed |
| 25-Dec-2021 |
Daniel Stenberg |
ngtcp2: verify the server certificate for the gnutls case Closes #8178
|
Revision tags: curl-7_76_1, curl-7_76_0, curl-7_75_0, curl-7_74_0 |
|
#
ac0a88fd |
| 05-Nov-2020 |
Daniel Stenberg |
copyright: fix year ranges Follow-up from 4d2f8006777
|
#
4d2f8006 |
| 04-Nov-2020 |
Daniel Stenberg |
curl.se: new home Closes #6172
|
Revision tags: curl-7_73_0, tiny-curl-7_72_0, curl-7_72_0, curl-7_71_1, curl-7_71_0, curl-7_70_0, curl-7_69_1, curl-7_69_0, curl-7_68_0, curl-7_67_0, curl-7_66_0, curl-7_65_3, curl-7_65_2, curl-7_65_1, curl-7_65_0, curl-7_64_1, curl-7_64_0, curl-7_63_0, curl-7_62_0, curl-7_61_1, curl-7_61_0, curl-7_60_0, curl-7_59_0, curl-7_58_0, curl-7_57_0, curl-7_56_1, curl-7_56_0, curl-7_55_1, curl-7_55_0 |
|
#
a53bda35 |
| 23-Jun-2017 |
Johannes Schindelin |
vtls: fold the backend ID into the Curl_ssl structure Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
#
6f1eec14 |
| 23-Jun-2017 |
Johannes Schindelin |
vtls: remove obsolete declarations of SSL backend functionality These functions are all available via the Curl_ssl struct now, no need to declare them separately anymore. As the
vtls: remove obsolete declarations of SSL backend functionality These functions are all available via the Curl_ssl struct now, no need to declare them separately anymore. As the global declarations are removed, the corresponding function definitions are marked as file-local. The only two exceptions here are Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the declarations were removed, there are no function definitions to mark file-local. Please note that Curl_nss_force_init() is *still* declared globally, as the only SSL backend-specific function, because it was introduced specifically for the use case where cURL was compiled with `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add support for NSS, 2010-06-27). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
f0b4db1a |
| 26-Jun-2017 |
Johannes Schindelin |
vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct That will allow us to choose the SSL backend at runtime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx
vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct That will allow us to choose the SSL backend at runtime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
937899a3 |
| 20-Jun-2017 |
Johannes Schindelin |
vtls: convert the have_curlssl_* constants to runtime flags The entire idea of introducing the Curl_ssl struct to describe SSL backends is to prepare for choosing the SSL backend at runt
vtls: convert the have_curlssl_* constants to runtime flags The entire idea of introducing the Curl_ssl struct to describe SSL backends is to prepare for choosing the SSL backend at runtime. To that end, convert all the #ifdef have_curlssl_* style conditionals to use bit flags instead. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
0a083a66 |
| 22-Jun-2017 |
Johannes Schindelin |
vtls: move sha256sum into the Curl_ssl struct The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL bac
vtls: move sha256sum into the Curl_ssl struct The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL backends. In contrast to MD5, there is no fall-back code. To indicate this, the respective entries are NULL for those backends that offer no support for SHA-256 checksumming. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
e35205a0 |
| 22-Jun-2017 |
Johannes Schindelin |
vtls: move md5sum into the Curl_ssl struct The MD5 summing is also an SSL backend-specific function. So let's include it, offering the previous fall-back code as a separate function
vtls: move md5sum into the Curl_ssl struct The MD5 summing is also an SSL backend-specific function. So let's include it, offering the previous fall-back code as a separate function now: Curl_none_md5sum(). To allow for that, the signature had to be changed so that an error could be returned from the implementation (Curl_none_md5sum() can run out of memory). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
52e8237b |
| 22-Jun-2017 |
Johannes Schindelin |
vtls: use the Curl_ssl struct to access all SSL backends' functionality This is the first step to unify the SSL backend handling. Now all the SSL backend-specific functionality is access
vtls: use the Curl_ssl struct to access all SSL backends' functionality This is the first step to unify the SSL backend handling. Now all the SSL backend-specific functionality is accessed via a global instance of the Curl_ssl struct. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
e09bb63e |
| 22-Jun-2017 |
Johannes Schindelin |
vtls: declare Curl_ssl structs for every SSL backend The idea of introducing the Curl_ssl struct was to unify how the SSL backends are declared and called. To this end, we now provide an
vtls: declare Curl_ssl structs for every SSL backend The idea of introducing the Curl_ssl struct was to unify how the SSL backends are declared and called. To this end, we now provide an instance of the Curl_ssl struct for each and every SSL backend. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
#
b31d1dcd |
| 25-Jun-2017 |
Johannes Schindelin |
vtls: make sure all _cleanup() functions return void This patch makes the signature of the _cleanup() functions consistent among the SSL backends, in preparation for unifying the way all
vtls: make sure all _cleanup() functions return void This patch makes the signature of the _cleanup() functions consistent among the SSL backends, in preparation for unifying the way all SSL backends are accessed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
show more ...
|
Revision tags: curl-7_54_1, curl-7_54_0, curl-7_53_1, curl-7_53_0 |
|
#
807698db |
| 12-Jan-2017 |
Daniel Stenberg |
rand: make it work without TLS backing Regression introduced in commit f682156a4fc6c4 Reported-by: John Kohl Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
|
Revision tags: curl-7_52_1, curl-7_52_0 |
|
#
a4b2f7aa |
| 25-Nov-2016 |
Okhin Vasilij |
curl_version_info: add CURL_VERSION_HTTPS_PROXY Closes #1142
|
#
cb4e2be7 |
| 16-Nov-2016 |
Alex Rousskov |
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is est
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
show more ...
|