GHA/macos: enable HTTPS tests with stunnel

- Install stunnel.

- Regenerate certificates (as SecureTransport requires a validity period
less than 398 days).

- Restart

GHA/macos: enable HTTPS tests with stunnel

- Install stunnel.

- Regenerate certificates (as SecureTransport requires a validity period
less than 398 days).

- Restart server if it is unresponsive.

- Do not hardcode the SHA-256 base64 public pinned key.

- Ignore test 313 as SecureTransport does not support crl file.

- Ignore tests 1631 and 1632 as SecureTransport is not yet able to shut
down FTP over HTTPS gracefully.

- Add a CMake target for generating certificates.

Closes #14486

show more ...

dist: add files missing from release tarball

Closes #13346

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RH

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RHEL-9 and derivatives, which are not willing to use certificates using
that algorithm. The fix is to use sha256 instead, which is already used
for most of the other certificates in the test suite.

Fixes #10135

This gets rid of issues related to sha1 signatures.

Manual steps after "make clean-certs" and "make build-certs":

- Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
(make clean-certs does not remove the original tests/stunnel.pem)

- Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
options of tests/data/test2041 and tests/data/test2087

Closes #10153

show more ...

tests: add authorityInfoAccess to generated certs

Generate stunnel.pem as well

Closes #9980

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

curl.se: new home

Closes #6172

copyright: fix out-of-date copyright ranges and missing headers

Reported by the new script 'scripts/copyright.pl'. The script has a
regex whitelist for the files that don't need copyrigh

copyright: fix out-of-date copyright ranges and missing headers

Reported by the new script 'scripts/copyright.pl'. The script has a
regex whitelist for the files that don't need copyright headers.

Removed three (mostly usesless) README files from docs/

Closes #5141

show more ...

schannel: add support for CURLOPT_CAINFO

- Move verify_certificate functionality in schannel.c into a new
file called schannel_verify.c. Additionally, some structure defintions
f

schannel: add support for CURLOPT_CAINFO

- Move verify_certificate functionality in schannel.c into a new
file called schannel_verify.c. Additionally, some structure defintions
from schannel.c have been moved to schannel.h to allow them to be
used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
all versions of Windows instead of just Windows CE. verify_certificate
will be invoked on Windows CE or when the user specifies
CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
exclusively trusts the certificate store backed by the CURLOPT_CAINFO
file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
when available. This implements a TODO in schannel.c to improve
handling of multiple SANs in a certificate. In particular, all SANs
will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
when using Schannel to maintain backward compatibility. Previously,
any curl-ca-bundle.crt file found in that search would have been
ignored by Schannel. But, with CAINFO support, the file found by
that search would have been used as the certificate store and
could cause issues for any users that have curl-ca-bundle.crt in
the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
SSL backend is Schannel. We allow setting CA location for schannel
only when explicitly specified by the user via CURLOPT_CAINFO /
--cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
and last SAN, respectively, matches the connection hostname. New test
certificates have been added for these cases. For 3000, the certificate
prefix is Server-localhost-firstSAN and for 3001, the certificate
prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325

show more ...

URLs: change all http:// URLs to https://

tests/certs: rebuild certificates with modified key usage bits

The certificates were missing the digitalSignature and keyAgreement
usage types, of which at least digitalSignature was che

tests/certs: rebuild certificates with modified key usage bits

The certificates were missing the digitalSignature and keyAgreement
usage types, of which at least digitalSignature was checked by CyaSSL.
This caused the test server in test 310 (among others) to fail the
startup verification and therefore run (see
http://curl.haxx.se/mail/lib-2014-07/0303.html).

show more ...

tests/certs: added make target to rebuild certificates

The certificate generation scripts were also updated to better match the
format of the certificates currently checked in.

SSL: Add PEM format support for public key pinning

commit bc682cbd follow-up

tests/Makefile.am: remove wildcard usage in EXTRA_DIST