#
c31041b1 |
| 07-Jun-2024 |
Stefan Eissing |
connection: shutdown TLS (for FTP) better This adds connection shutdown infrastructure and first use for FTP. FTP data connections, when not encountering an error, are now shut down in a
connection: shutdown TLS (for FTP) better This adds connection shutdown infrastructure and first use for FTP. FTP data connections, when not encountering an error, are now shut down in a blocking way with a 2sec timeout. - add cfilter `Curl_cft_shutdown` callback - keep a shutdown start timestamp and timeout at connectdata - provide shutdown timeout default and member in `data->set.shutdowntimeout`. - provide methods for starting, interrogating and clearing shutdown timers - provide `Curl_conn_shutdown_blocking()` to shutdown the `sockindex` filter chain in a blocking way. Use that in FTP. - add `Curl_conn_cf_poll()` to wait for socket events during shutdown of a connection filter chain. This gets the monitoring sockets and events via the filters "adjust_pollset()" methods. This gives correct behaviour when shutting down a TLS connection through a HTTP/2 proxy. - Implement shutdown for all socket filters - for HTTP/2 and h2 proxying to send GOAWAY - for TLS backends to the best of their capabilities - for tcp socket filter to make a final, nonblocking receive to avoid unwanted RST states - add shutdown forwarding to happy eyeballers and https connect ballers when applicable. Closes #13904
show more ...
|
#
08872971 |
| 13-May-2024 |
Viktor Szakats |
lib/v*: tidy up types and casts Also add a couple of negative checks. Cherry-picked from #13489 Closes #13622
|
#
80aa5195 |
| 01-Jun-2024 |
Daniel Stenberg |
wolfssl: support CA caching As a bonus, add SSLSUPP_CA_CACHE to let TLS backends signal its support for this so that *setopt() return error if there is no support. Closes #13786
|
#
e101a7a8 |
| 11-Apr-2024 |
Stefan Eissing |
multi: add multi->proto_hash, a key-value store for protocol data - add `Curl_hash_add2()` that passes a destructor function for the element added. Call element destructor instead of h
multi: add multi->proto_hash, a key-value store for protocol data - add `Curl_hash_add2()` that passes a destructor function for the element added. Call element destructor instead of hash destructor if present. - multi: add `proto_hash` for protocol related information, remove `struct multi_ssl_backend_data`. - openssl: use multi->proto_hash to keep x509 shared store - schannel: use multi->proto_hash to keep x509 shared store - vtls: remove Curl_free_multi_ssl_backend_data() and its equivalents in the TLS backends Closes #13345
show more ...
|
#
5e3fd347 |
| 15-Apr-2024 |
Daniel Stenberg |
version: add "ECH" as a feature If available Follow-up to a362962b7 Closes #13378
|
#
32101010 |
| 22-Mar-2024 |
Stefan Eissing |
tls: use shared init code for TCP+QUIC Closes #13172
|
#
4dbc7acc |
| 05-Dec-2023 |
Michał Antoniak <47522782+MAntoniak@users.noreply.github.com> |
vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY Closes #12459
|
#
fa714830 |
| 17-Nov-2023 |
Stefan Eissing |
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Cu
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Curl_ssl_snihost()` and its use of the download buffer - use ssl_peer in SSL and QUIC filters Closes #12349
show more ...
|
#
bbdbd4b0 |
| 31-Oct-2023 |
Stefan Eissing |
vtls: late clone of connection ssl config - perform connection cache matching against `data->set.ssl.primary` and proxy counterpart - fully clone connection ssl config only when co
vtls: late clone of connection ssl config - perform connection cache matching against `data->set.ssl.primary` and proxy counterpart - fully clone connection ssl config only when connection is used Closes #12237
show more ...
|
#
bf0e278a |
| 26-Oct-2023 |
Stefan Eissing |
vtls: cleanup SSL config management - remove `Curl_ssl_get_config()`, no longer needed Closes #12204
|
#
2fcb674c |
| 30-Jul-2023 |
Jay Satiro |
vtls: clarify "ALPN: offers" message Before: * ALPN: offers h2,http/1.1 After: * ALPN: curl offers h2,http/1.1 Bug: https://curl.se/mail/lib-2023-07/0041.html R
vtls: clarify "ALPN: offers" message Before: * ALPN: offers h2,http/1.1 After: * ALPN: curl offers h2,http/1.1 Bug: https://curl.se/mail/lib-2023-07/0041.html Reported-by: Richard W.M. Jones Closes #11544
show more ...
|
#
8e85764b |
| 22-May-2023 |
Daniel Stenberg |
lib: remove unused functions, make single-use static Closes #11174
|
#
4ae2d9f2 |
| 06-Apr-2023 |
Stefan Eissing |
proxy: http2 proxy tunnel implementation - currently only on debug build and when env variable CURL_PROXY_TUNNEL_H2 is present. - will ALPN negotiate with the proxy server and swit
proxy: http2 proxy tunnel implementation - currently only on debug build and when env variable CURL_PROXY_TUNNEL_H2 is present. - will ALPN negotiate with the proxy server and switch tunnel filter based on the protocol negotiated. - http/1.1 tunnel code moved into cf-h1-proxy.[ch] - http/2 tunnel code implemented in cf-h2-proxy.[ch] - tunnel start and ALPN set remains in http_proxy.c - moving all haproxy related code into cf-haproxy.[ch] VTLS changes - SSL filters rely solely on the "alpn" specification they are created with and no longer check conn->bits.tls_enable_alpn. - checks on which ALPN specification to use (or none at all) are done in vtls.c when creating the filter. Testing - added a nghttpx forward proxy to the pytest setup that speaks HTTP/2 and forwards all requests to the Apache httpd forward proxy server. - extending test coverage in test_10 cases - adding proxy tests for direct/tunnel h1/h2 use of basic auth. - adding test for http/1.1 and h2 proxy tunneling to pytest Closes #10780
show more ...
|
#
0065b146 |
| 07-Feb-2023 |
John Bampton |
misc: fix spelling Closes #10437
|
#
67115824 |
| 01-Feb-2023 |
Stefan Eissing |
connections: introduce http/3 happy eyeballs New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing. - filter is installed when `--http3` in the tool is used (or the equivalent CURL
connections: introduce http/3 happy eyeballs New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing. - filter is installed when `--http3` in the tool is used (or the equivalent CURLOPT_ done in the library) - starts a QUIC/HTTP/3 connect right away. Should that not succeed after 100ms (subject to change), a parallel attempt is started for HTTP/2 and HTTP/1.1 via TCP - both attempts are subject to IPv6/IPv4 eyeballing, same as happens for other connections - tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT - use a `soft` timeout at half the value. When the soft timeout expires, the HTTPS-CONNECT filter checks if the QUIC filter has received any data from the server. If not, it will start the HTTP/2 attempt. HTTP/3(ngtcp2) improvements. - setting call_data in all cfilter calls similar to http/2 and vtls filters for use in callback where no stream data is available. - returning CURLE_PARTIAL_FILE for prematurely terminated transfers - enabling pytest test_05 for h3 - shifting functionality to "connect" UDP sockets from ngtcp2 implementation into the udp socket cfilter. Because unconnected UDP sockets are weird. For example they error when adding to a pollset. HTTP/3(quiche) improvements. - fixed upload bug in quiche implementation, now passes 251 and pytest - error codes on stream RESET - improved debug logs - handling of DRAIN during connect - limiting pending event queue HTTP/2 cfilter improvements. - use LOG_CF macros for dynamic logging in debug build - fix CURLcode on RST streams to be CURLE_PARTIAL_FILE - enable pytest test_05 for h2 - fix upload pytests and improve parallel transfer performance. GOAWAY handling for ngtcp2/quiche - during connect, when the remote server refuses to accept new connections and closes immediately (so the local conn goes into DRAIN phase), the connection is torn down and a another attempt is made after a short grace period. This is the behaviour observed with nghttpx when we tell it to shut down gracefully. Tested in pytest test_03_02. TLS improvements - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces copy of logic in all tls backends. - standardized the infof logging of offered ALPNs - ALPN negotiated: have common function for all backends that sets alpn proprty and connection related things based on the negotiated protocol (or lack thereof). - new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementation. Invoke: python3 tests/tests-httpd/scorecard.py --help for usage. Improvements on gathering connect statistics and socket access. - new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters report connection statistics. This is triggered when the connection has completely connected. - new void Curl_pgrsTimeWas(..) method to report a timer update with a timestamp of when it happend. This allows for updating timers "later", e.g. a connect statistic after full connectivity has been reached. - in case of HTTP eyeballing, the previous changes will update statistics only from the filter chain that "won" the eyeballing. - new cfilter query CF_QUERY_SOCKET for retrieving the socket used by a filter chain. Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket() for convenient use of this query. - Change VTLS backend to query their sub-filters for the socket when checks during the handshake are made. HTTP/3 documentation on how https eyeballing works. TLS improvements - ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces copy of logic in all tls backends. - standardized the infof logging of offered ALPNs - ALPN negotiated: have common function for all backends that sets alpn proprty and connection related things based on the negotiated protocol (or lack thereof). Scorecard with Caddy. - configure can be run with `--with-test-caddy=path` to specify which caddy to use for testing - tests/tests-httpd/scorecard.py now measures download speeds with caddy pytest improvements - adding Makfile to clean gen dir - adding nghttpx rundir creation on start - checking httpd version 2.4.55 for test_05 cases where it is needed. Skipping with message if too old. - catch exception when checking for caddy existance on system. Closes #10349
show more ...
|
#
db91dbbf |
| 11-Jan-2023 |
Stefan Eissing |
curl_log: for failf/infof and debug logging implementations - new functions and macros for cfilter debugging - set CURL_DEBUG with names of cfilters where debug logging should be
curl_log: for failf/infof and debug logging implementations - new functions and macros for cfilter debugging - set CURL_DEBUG with names of cfilters where debug logging should be enabled - use GNUC __attribute__ to enable printf format checks during compile Closes #10271
show more ...
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
df856cb5 |
| 30-Dec-2022 |
Daniel Stenberg |
vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used Previously libcurl would use the HTTP/1.1 ALPN id even when the application specified HTTP/1.0. Reported-by: William Tang Ref:
vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used Previously libcurl would use the HTTP/1.1 ALPN id even when the application specified HTTP/1.0. Reported-by: William Tang Ref: #10183
show more ...
|
#
71b7e016 |
| 30-Dec-2022 |
Stefan Eissing |
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses sub-filters for performing parallel connects - socket cfilter for all transport types, including QUIC - QUIC implementations in cfilter, can now participate in eyeballing - connection setup is more dynamic in order to adapt to what filter did really connect. Relevant to see if a SSL filter needs to be added or if SSL has already been provided - HTTP/3 test cases similar to HTTP/2 - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche - Fix for data attach/detach in VTLS filters that could lead to crashes during parallel transfers. - Eliminating setup() methods in cfilters, no longer needed. - Improving Curl_conn_is_alive() to replace Curl_connalive() and integrated ssl alive checks into cfilter. - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update connection into and persist it at the easy handle. - Several more cfilter related cleanups and moves: - stream_weigth and dependency info is now wrapped in struct Curl_data_priority - Curl_data_priority members depend is available in HTTP2|HTTP3 - Curl_data_priority members depend on NGHTTP2 support - handling init/reset/cleanup of priority part of url.c - data->state.priority same struct, but shallow copy for compares only - PROTOPT_STREAM has been removed - Curl_conn_is_mulitplex() now available to check on capability - Adding query method to connection filters. - ngtcp2+quiche: implementing query for max concurrent transfers. - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event. - setting keepalive timestamp on connect - DATA_SETUP is called after the connection has been completely setup (but may not connected yet) to allow filters to initialize data members they use. - there is no socket to be had with msh3, it is unclear how select shall work - manual test via "curl --http3 https://curl.se" fail with "empty reply from server". - Various socket/conn related cleanups: - Curl_socket is now Curl_socket_open and in cf-socket.c - Curl_closesocket is now Curl_socket_close and in cf-socket.c - Curl_ssl_use has been replaced with Cur_conn_is_ssl - Curl_conn_tcp_accepted_set has been split into Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set with a clearer purpose Closes #10141
show more ...
|
#
b42156b8 |
| 07-Dec-2022 |
Stefan Eissing |
cfilter: improve SSL connection checks - fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance as ssl (refs #10053) - replaces `Curl_ssl_use()` with the corre
cfilter: improve SSL connection checks - fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance as ssl (refs #10053) - replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()` Closes #10054 Fixes #10053 Reported-by: Patrick Monnerat
show more ...
|
#
55807e6c |
| 25-Nov-2022 |
Stefan Eissing |
tls: backends use connection filters for IO, enabling HTTPS-proxy - OpenSSL (and compatible) - BearSSL - gnutls - mbedtls - rustls - schannel - secure-transpor
tls: backends use connection filters for IO, enabling HTTPS-proxy - OpenSSL (and compatible) - BearSSL - gnutls - mbedtls - rustls - schannel - secure-transport - wolfSSL (v5.0.0 and newer) This leaves only the following without HTTPS-proxy support: - gskit - nss - wolfSSL (versions earlier than v5.0.0) Closes #9962
show more ...
|
#
f18956d0 |
| 26-Nov-2022 |
Stefan Eissing |
cfilter: re-add `conn` as parameter to cfilter setup methods - `Curl_ssl_get_config()` now returns the first config if no SSL proxy filter is active - socket filter starts con
cfilter: re-add `conn` as parameter to cfilter setup methods - `Curl_ssl_get_config()` now returns the first config if no SSL proxy filter is active - socket filter starts connection only on first invocation of its connect method Fixes #9982 Closes #9983
show more ...
|
#
af22c2a5 |
| 22-Nov-2022 |
Stefan Eissing |
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct co
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
show more ...
|
#
dafdb20a |
| 11-Nov-2022 |
Stefan Eissing |
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
show more ...
|
#
3c16697e |
| 28-Sep-2022 |
Michael Drake |
openssl: reduce CA certificate bundle reparsing by caching Closes #9620
|