Gergely Nagy [Thu, 19 Sep 2013 13:17:13 +0000 (15:17 +0200)]
SSL: protocol version can be specified more precisely
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version
(CURL_SSLVERSION_TLSv1 means TLS 1.x).
axTLS:
axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one
of these should be used, so we don't allow the new enum values.
darwinssl:
Added support for the new enum values.
SChannel:
Added support for the new enum values.
CyaSSL:
Added support for the new enum values.
Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it
did the same before this commit), because CyaSSL cannot be configured to
use TLS 1.0-1.2.
GSKit:
GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow
those values.
Bugfix: There was a typo that caused wrong SSL versions to be passed to
GSKit.
NSS:
TLS minor version cannot be set, so we don't allow the new enum values.
QsoSSL:
TLS minor version cannot be set, so we don't allow the new enum values.
OpenSSL:
Added support for the new enum values.
Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0,
now it enables 1.0-1.2.
Command-line tool:
Added command line options for the new values.
Daniel Stenberg [Sat, 12 Oct 2013 21:26:38 +0000 (23:26 +0200)]
curl: rename --bearer to --oauth2-bearer
The option '--bearer' might be slightly ambiguous in name. It doesn't
create any conflict that I am aware of at the moment, however, OAUTH v2
is not the only authentication mechanism which uses "bearer" tokens.
Reported-by: Kyle L. Huff
URL: http://curl.haxx.se/mail/lib-2013-10/0064.html
Daniel Stenberg [Wed, 2 Oct 2013 13:31:10 +0000 (15:31 +0200)]
OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set
should still verify that the host name fields in the server certificate
is fine or return failure.
Steve Holme [Sun, 29 Sep 2013 15:25:11 +0000 (16:25 +0100)]
test909: Removed custom EHLO response after recent changes
...as it is no longer required following capability and authentication
changes and is now causing problems following commit 49341628b50007 as
the test number is obtained from the client address in the EHLO.
Steve Holme [Sun, 29 Sep 2013 08:53:49 +0000 (09:53 +0100)]
ftpserver.pl: Moved specifying the test number from the RCPT address
...to the client address as this frees the RCPT strings to contain
just an email address and by passing the test number into curl as the
client address remains consistent with POP3 and IMAP tests as they are
specified in the URL.
Daniel Stenberg [Sat, 28 Sep 2013 21:18:19 +0000 (23:18 +0200)]
win32: fix Visual Studio 2010 build with WINVER >= 0x600
If no WINVER and/or _WIN32_IWNNT define was set, the Windows platform
SDK often defaults to high value, e.g. 0x601 (whoch may probably depend
on the Windows version being used, in my case Windows 7).
If WINVER >= 0x600 then winsock2.h includes some defines for WSAPoll(),
e.g. POLLIN, POLLPRI, POLLOUT etc. These defines clash with cURL's
lib/select.h.
Steve Holme [Tue, 24 Sep 2013 19:12:48 +0000 (20:12 +0100)]
sasl: Centralised the authentication mechanism strings
Moved the standard SASL mechanism strings into curl_sasl.h rather than
hard coding the same values over and over again in the protocols that
use SASL authentication.
For more information about the mechanism strings see:
As someone reported on the mailing list a while back, the hard-coded
arbitrary timeout of 7s in test 1112 is not sufficient in some build
environments. At Arista Networks we build and test curl as part of our
automated build system, and we've run into this timeout 170 times so
far. Our build servers are typically quite busy building and testing a
lot of code in parallel, so despite being beefy machines with 32 cores
and 128GB of RAM we still hit this 7s timeout regularly.
Steve Holme [Sun, 22 Sep 2013 12:21:15 +0000 (13:21 +0100)]
ftpserver.pl: Added cURL SMTP server detection to HELO command handler
As curl will send a HELO command after an negative EHLO response, added
the same detection from commit b07709f7417c3e to the HELO handler to
ensure the test server is identified correctly and an upload isn't
performed.
Steve Holme [Sun, 22 Sep 2013 10:03:18 +0000 (11:03 +0100)]
ftpserver.pl: Moved invalid RCPT TO: address detection to RCPT handler
Rather than detecting the TO address as missing in the DATA handler,
moved the detection to the RCPT command handler where an error response
can be generated.
Steve Holme [Sat, 21 Sep 2013 19:49:23 +0000 (20:49 +0100)]
ftpserver.pl: Moved cURL SMTP server detection into EHLO command handler
Moved the special SMTP server detection code from the DATA command
handler, which happens further down the operation chain after EHLO,
MAIL and RCPT commands, to the EHLO command as it is the first command
to be generated by a SMTP operation as well as containing the special
"verifiedserver" string from the URL.
This not only makes it easier and quicker to detect but also means that
cURL doesn't need to specify "verifiedserver" as --mail-from and
--mail-rcpt arguments.
More importantly, this also makes the upcoming verification changes to
the RCPT handler easier to implement.
Daniel Stenberg [Wed, 18 Sep 2013 21:03:30 +0000 (23:03 +0200)]
openssl: use correct port number in error message
In ossl_connect_step2() when the "Unknown SSL protocol error" occurs, it
would output the local port number instead of the remote one which
showed when doing SSL over a proxy (but with the correct remote host
name). As libcurl only speaks SSL to the remote we know it is the remote
port.
Bug: http://curl.haxx.se/bug/view.cgi?id=1281 Reported-by: Gordon Marler
Daniel Stenberg [Sat, 21 Sep 2013 18:43:39 +0000 (13:43 -0500)]
test1415: adjusted to work for 32bit time_t
The libcurl date parser returns INT_MAX for all dates > 2037 so this
test is now made to use 2037 instead of 2038 to work the same for both
32bit and 64bit time_t systems.
Steve Holme [Fri, 20 Sep 2013 20:56:34 +0000 (21:56 +0100)]
pop3: Added basic SASL XOAUTH2 support
Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for
authentication using RFC6749 "OAuth 2.0 Authorization Framework".
The bearer token is expected to be valid for the user specified in
conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has
an advertised auth mechanism of "XOAUTH2", the user and access token are
formatted as a base64 encoded string and sent to the server as
"AUTH XOAUTH2 <bearer token>".
Nick Zitzmann [Thu, 19 Sep 2013 22:28:54 +0000 (17:28 -0500)]
darwinssl: enable BEAST workaround on iOS 7 & later
iOS 7 finally added the option to enable 1/n-1 when using TLS 1.0
and a CBC cipher, so we now always turn that on unless the user
manually turns it off using CURLSSLOPT_ALLOW_BEAST.
It appears Apple also added some new PSK ciphers, but no interface to
use them yet, so we at least support printing them if we find them.
Steve Holme [Wed, 18 Sep 2013 17:04:26 +0000 (18:04 +0100)]
runtests.pl: Fixed smtp mail from address
Following changes to ftpserver.pl fixed the mail from address to be a
correctly formatted address otherwise the server response will be 501
Invalid address.
Steve Holme [Wed, 18 Sep 2013 06:16:53 +0000 (07:16 +0100)]
ftpserver.pl: Expanded the SMTP MAIL handler to validate messages
MAIl_smtp() will now check for a correctly formatted FROM address as
well as the optional SIZE parameter comparing it against the server
capability when specified.
Implement: Expired Cookies These following situation, curl removes
cookie(s) from struct CookieInfo if the cookie expired.
- Curl_cookie_add()
- Curl_cookie_getlist()
- cookie_output()
projects / curl / log