Daniel Stenberg [Sat, 1 Aug 2009 22:11:58 +0000 (22:11 +0000)]
- Curt Bogmine reported a problem with SNI enabled on a particular server. We
should introduce an option to disable SNI, but as we're in feature freeze
now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
option for SNI, or are we simply not using it?
Daniel Stenberg [Sat, 1 Aug 2009 21:56:59 +0000 (21:56 +0000)]
- Scott Cantor posted the bug report #2829955
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
verification flaw found and exploited by Moxie Marlinspike. The presentation
he did at Black Hat is available here:
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
Apparently at least one CA allowed a subjectAltName or CN that contain a
zero byte, and thus clients that assumed they would never have zero bytes
were exploited to OK a certificate that didn't actually match the site. Like
if the name in the cert was "example.com\0theatualsite.com", libcurl would
happily verify that cert for example.com.
libcurl now better use the length of the extracted name, not assuming it is
zero terminated.
Daniel Stenberg [Sat, 1 Aug 2009 11:09:02 +0000 (11:09 +0000)]
- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
only in some OpenSSL installs - like on Windows) isn't thread-safe and we
agreed that moving it to the global_init() function is a decent way to deal
with this situation.
Daniel Stenberg [Sat, 1 Aug 2009 11:02:10 +0000 (11:02 +0000)]
- Alexander Beedie provided the patch for a noproxy problem: If I have set
CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
could still end up using a proxy if a proxy environment variable was set.
Daniel Stenberg [Fri, 31 Jul 2009 11:16:04 +0000 (11:16 +0000)]
67. When creating multipart formposts. The file name part can be encoded with
something beyond ascii but currently libcurl will only pass in the verbatim
string the app provides. There are several browsers that already do this
encoding. The key seems to be the updated draft to RFC2231:
http://tools.ietf.org/html/draft-reschke-rfc2231-in-http-02
Daniel Stenberg [Mon, 27 Jul 2009 18:36:56 +0000 (18:36 +0000)]
- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
send when using FTP, as a sign that libcurl shall simply ignore the response
from the server instead of treating it as an error. Not treating a 400+ FTP
response code as an error means that failed commands will not abort the
chain of commands, nor will they cause the connection to get disconnected.
Daniel Stenberg [Mon, 27 Jul 2009 18:31:48 +0000 (18:31 +0000)]
From: Johan van Selst
"you replaced the old SSLeay_add_ssl_algorithms() call
with OpenSSL_add_all_algorithms(), however unlike the name suggests,
the second function is not a superset of the first. When using SSL
both these functions will need to be called in order to offer complete
functionality"
Daniel Stenberg [Sun, 26 Jul 2009 17:33:36 +0000 (17:33 +0000)]
- Bug report #2825989 (http://curl.haxx.se/bug/view.cgi?id=2825989) pointed
out that OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm,
and provided the solution too: to use OpenSSL_add_all_algorithms() instead
of the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
OpenSSL 0.9.5
Daniel Stenberg [Sat, 25 Jul 2009 18:09:57 +0000 (18:09 +0000)]
properly free data returned by aprintf(), and bring back the code to be
independent of libssh2 version as the client code isn't really meant to adapt
to such build-time constraints.
Daniel Stenberg [Wed, 22 Jul 2009 22:49:01 +0000 (22:49 +0000)]
- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
They introduce known_host support for SSH keys to libcurl. See docs for
details.
Michal Marek [Wed, 22 Jul 2009 09:48:32 +0000 (09:48 +0000)]
- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
(https://bugzilla.novell.com/523919). When looking at the code, I found
that also the ptr pointer can leak.
- Claes Jakobsson improved the support for client certificates handling
in NSS-powered libcurl. Now the client certificates can be selected
automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
slots is no more performed. It used to cause problems with HW tokens.
- Fixed reference counting for NSS client certificates. Now the PEM reader
module should be always properly unloaded on Curl_nss_cleanup(). If the unload
fails though, libcurl will try to reuse the already loaded instance.
Bill Hoffman [Wed, 15 Jul 2009 19:25:22 +0000 (19:25 +0000)]
BUG: curl did not build with cmake with VS 2005 for two reasons, ws2tcpip.h requires winsock2.h to be included before it with that compiler, and wldap32 is not available with the default install of the compiler, so disable ldap support if that is not found
renamed generated config.h to curl_config.h in order to avoid clashes when libcurl is used with other projects which also have a config.h (missing bits)
Daniel Stenberg [Thu, 9 Jul 2009 21:47:24 +0000 (21:47 +0000)]
- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
setting a file descriptor non-blocking. Used by the functionality Eric
himself brough on June 15th.
Daniel Stenberg [Wed, 8 Jul 2009 07:00:40 +0000 (07:00 +0000)]
- Constantine Sapuntzakis posted bug report #2813123
(http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
problem:
Url A is accessed using auth. Url A redirects to Url B (on a different
server0. Url B reuses a persistent connection. Url B has auth, even though
it's on a different server.
Note: if Url B does not reuse a persistent connection, auth is not sent.
Daniel Stenberg [Tue, 30 Jun 2009 21:30:39 +0000 (21:30 +0000)]
Tor Arntsen pointed out a missing #ifdef for IPv6, and I changed another one
to use the "standard" ENABLE_IPV6 one. Also, if port number cannot be figured
out to connect to after a name resolve (due to it not being IPv4 or IPv6),
that particular address will now simply be skipped.
Daniel Stenberg [Mon, 29 Jun 2009 20:46:01 +0000 (20:46 +0000)]
- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
range if given colon-separated after the host name/address part. Like
"192.168.0.1:2000-10000"
Daniel Stenberg [Mon, 29 Jun 2009 20:45:42 +0000 (20:45 +0000)]
- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
don't know how they got wrong in the first place, but using this output
format makes it possible to quite easily separate the string into an array
of multiple items.
Yang Tse [Fri, 19 Jun 2009 00:41:03 +0000 (00:41 +0000)]
sclose() function-like macro definition used to close a socket,
now solely based on HAVE_CLOSESOCKET and HAVE_CLOSESOCKET_CAMEL
config file preprocessor definitions.
Daniel Stenberg [Tue, 16 Jun 2009 18:03:28 +0000 (18:03 +0000)]
- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
(no newline translations). Use -B/--use-ascii if you rather get the ascii
approach.
Daniel Stenberg [Mon, 15 Jun 2009 21:13:00 +0000 (21:13 +0000)]
- Eric Wong's patch:
This allows curl(1) to be used as a client-side tunnel for arbitrary stream
protocols by abusing chunked transfer encoding in both the HTTP request and
HTTP response. This requires server support for sending a response while a
request is still being read, of course.
If attempting to read from stdin returns EAGAIN, then we pause our sender.
This leaves curl to attempt to read from the socket while reading from stdin
(and thus sending) is paused.