The callback gets called because of the call to PR_Recv() done to
attempt to avoid RST on the TCP connection. The conn->bundle pointer is
already cleared at this point so avoid dereferencing it.
Reported-by: Eric Musser
Fixes#8341Closes#8342
mbedtls/certs.h file contains only certificates example (all definitions
is beginning by mbedtls_test_*). None of them is used so we can avoid
include the file.
Closes#8343
The TLS backends convert the host name to SNI name and need to use that.
This involves cutting off any trailing dot and lowercasing.
Co-authored-by: Jay Satiro
Closes#8320
Reverts 5de8d84098 (May 2014, shipped in 7.37.0) and the
follow-up changes done afterward.
Keep the dot in names for everything except the SNI to make curl behave
more similar to current browsers. This means 'name' and 'name.' send the
same SNI for different 'Host:' headers.
Updated test 1322 accordingly
Fixes#8290
Reported-by: Charles Cazabon
Closes#8320
Avoids the need to clone the strings before check, thus avoiding
mallocs, which for cases where there are many SAN names in a cert could
end up numerous.
Closes#8321
The tools.ietf.org domain has been deprecated a while now, with the
links being redirected to datatracker.ietf.org.
Rather than make people eat that redirect time, this change switches the
URL to a more canonical source.
Closes#8317
Previously curl would just silently ignore it if the necessary defines
are not present at build-time.
Reported-by: Stefan Eissing
Fixes#8309Closes#8310
Mesalink has ceased development. We can no longer encourage use of it.
It seems to be continued under the name TabbySSL, but no attempts have
(yet) been to make curl support it.
Fixes#8188Closes#8191
Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the
rustls TLS backend. Multiple certificates in a single PEM string are
supported just like OpenSSL does with this option.
This is compatible at least with rustls-ffi 0.8+ which is our new
minimum version anyway.
I was able to build and run this on Windows, pulling trusted certs from
the system and then add them to rustls by setting
`CURLOPT_CAINFO_BLOB`. Handy!
Closes#8255
Since mbedTLS 3.1.0, mbedtls_ssl_setup() fails if the provided
config struct is not valid.
mbedtls_ssl_config_defaults() needs to be called before the config
struct is passed to mbedtls_ssl_setup().
Closes#8238
... by instead using the struct version of the typedef'ed pointer. To
fix build errors when both Schannel and OpenSSL are enabled.
Fixes#8240
Reported-by: Jan Ehrhardt
Closes#8246
"As a last resort, you can access the field foo of a structure bar by
writing bar.MBEDTLS_PRIVATE(foo). Note that you do so at your own risk,
since such code is likely to break in a future minor version of Mbed
TLS." -
f2d1199edc/docs/3.0-migration-guide.md
That future minor version is v3.1.0. I set the >= to == for the version
checks because v3.1.0 is a release, and I am not sure when the private
designation was reverted after v3.0.0.
Closes#8214
... and double-check in the OpenSSL shutdown that the socket is actually
still there before it is used.
Fixes#8193Closes#8195
Reported-by: Leszek Kubik
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.
The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.
Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.
Ref: #8173Closes#8178
Prior to this change OpenSSL_version was only detected in configure
builds. For other builds the old version parsing code was used which
would result in incorrect versioning for OpenSSL 3:
Before:
curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.0a zlib/1.2.11
WinIDN libssh2/1.9.0
After:
curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.1 zlib/1.2.11
WinIDN libssh2/1.9.0
Reported-by: lllaffer@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/8154
Closes https://github.com/curl/curl/pull/8155
The comment is incorrect in two ways:
- It says the check needs to be last, but the check is actually first.
- is_handshaking actually starts out true.
Closes#8038
When we're reading out plaintext from rustls' internal buffers, we might
get a read of zero bytes (meaning a clean TCP close, including
close_notify). However, we shouldn't return immediately when that
happens, since we may have already copied out some plaintext bytes.
Break out of the loop when we get a read of zero bytes, and figure out
which path we're dealing with.
Acked-by: Kevin Burke
Closes#8003
The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify.
From the CHANGELOG:
> Handling of unclean close and the close_notify TLS alert. Mirroring
> upstream changes, a rustls_connection now tracks TCP closed state like
> so: rustls_connection_read_tls considers a 0-length read from its
> callback to mean "TCP stream was closed by peer." If that happens
> before the peer sent close_notify, rustls_connection_read will return
> RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are
> exhausted. This is useful to protect against truncation attacks. Note:
> some TLS implementations don't send close_notify. If you are already
> getting length information from your protocol (e.g. Content-Length in
> HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of
> plaintext bytes was as expected.
That means we don't need to check for unclean EOF in `cr_recv()`,
because `process_new_packets()` will give us an error if appropriate.
Closes#8003
Previously we'd return CURLE_READ_ERROR if we received this, instead
of triggering the error handling logic that's present in the next if
block down.
After this change, curl requests to https://go.googlesource.com using
HTTP/2 complete successfully.
Fixes#7949Closes#7948
Some method names, as well as the generated library name, were changed
in a recent refactoring.
Further, change the default configuration instructions to check for
Hyper in either "target/debug" or "target/release" - the latter
contains an optimized build configuration.
Fixes#7947Closes#7948
- Call schannel_shutdown if the SSL connection fails.
Prior to this change schannel_shutdown (which shuts down the SSL
connection as well as memory cleanup) was not called when the SSL
connection failed (eg due to failed handshake).
Co-authored-by: Gisle Vanem
Fixes https://github.com/curl/curl/issues/7877
Closes https://github.com/curl/curl/pull/7878
It was previously done mostly to show a match/non-match in the verbose
output even when verification was not asked for. This change skips the
loading of the CA certs unless verifypeer is set to save memory and CPU.
Closes#7892
One reason we know it can fail is if a provider is used that doesn't do
a proper job or is wrongly configured.
Reported-by: Michael Baentsch
Fixes#7840Closes#7856
