Skip to content
  1. Apr 18, 2018
    • Dan McNulty's avatar
      schannel: add support for CURLOPT_CAINFO · 89963002
      Dan McNulty authored
      - Move verify_certificate functionality in schannel.c into a new
        file called schannel_verify.c. Additionally, some structure defintions
        from schannel.c have been moved to schannel.h to allow them to be
        used in schannel_verify.c.
      
      - Make verify_certificate functionality for Schannel available on
        all versions of Windows instead of just Windows CE. verify_certificate
        will be invoked on Windows CE or when the user specifies
        CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
      
      - In verify_certificate, create a custom certificate chain engine that
        exclusively trusts the certificate store backed by the CURLOPT_CAINFO
        file.
      
      - doc updates of --cacert/CAINFO support for schannel
      
      - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
        when available. This implements a TODO in schannel.c to improve
        handling of multiple SANs in a certificate. In particular, all SANs
        will now be searched instead of just the first name.
      
      - Update tool_operate.c to not search for the curl-ca-bundle.crt file
        when using Schannel to maintain backward compatibility. Previously,
        any curl-ca-bundle.crt file found in that search would have been
        ignored by Schannel. But, with CAINFO support, the file found by
        that search would have been used as the certificate store and
        could cause issues for any users that have curl-ca-bundle.crt in
        the search path.
      
      - Update url.c to not set the build time CURL_CA_BUNDLE if the selected
        SSL backend is Schannel. We allow setting CA location for schannel
        only when explicitly specified by the user via CURLOPT_CAINFO /
        --cacert.
      
      - Add new test cases 3000 and 3001. These test cases check that the first
        and last SAN, respectively, matches the connection hostname. New test
        certificates have been added for these cases. For 3000, the certificate
        prefix is Server-localhost-firstSAN and for 3001, the certificate
        prefix is Server-localhost-secondSAN.
      
      - Remove TODO 15.2 (Add support for custom server certificate
        validation), this commit addresses it.
      
      Closes https://github.com/curl/curl/pull/1325
      89963002
  2. Apr 17, 2018
    • Jay Satiro's avatar
      schannel: fix warning · 4d660fdc
      Jay Satiro authored
      - Fix warning 'integer from pointer without a cast' on 3rd arg in
        CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
        type of the same size.
      
      Follow-up to e35b0256.
      
      Caught by Marc's CI builds.
      4d660fdc
    • Jakub Wilk's avatar
      docs: fix typos · 24e83558
      Jakub Wilk authored
      Closes https://github.com/curl/curl/pull/2503
      24e83558
    • Daniel Stenberg's avatar
      RELEASE-NOTES: synced · ba48863e
      Daniel Stenberg authored
      ba48863e
    • Kees Dekker's avatar
      winbuild: Support custom devel paths for each dependency · 79216594
      Kees Dekker authored
      - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
        OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
        NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
      
      - Use lib.exe for making the static library instead of link.exe /lib.
        The latter is undocumented and could cause problems as noted in the
        comments.
      
      - Remove a dangling URL that no longer worked. (I was not able to find
        the IDN download at MSDN/microsoft.com, so it seems to be removed.)
      
      - Remove custom override for release-ssh2-ssl-dll-zlib configuration.
        Nobody knows why it was there and as far as we can see is unnecessary.
      
      Closes https://github.com/curl/curl/pull/2474
      79216594
  3. Apr 16, 2018
  4. Apr 15, 2018
  5. Apr 12, 2018
  6. Apr 11, 2018
  7. Apr 10, 2018
  8. Apr 09, 2018
  9. Apr 08, 2018
  10. Apr 07, 2018
  11. Apr 06, 2018
    • Daniel Stenberg's avatar
      hash: calculate sizes with size_t instead of longs · dd03e8c2
      Daniel Stenberg authored
      ... since they return size_t anyway!
      
      closes #2462
      dd03e8c2
    • Daniel Stenberg's avatar
      RELEASE-NOTES: synced · 67bd4ab1
      Daniel Stenberg authored
      67bd4ab1
    • Jay Satiro's avatar
      build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 · 222de37f
      Jay Satiro authored
      .. and do the same for build-wolfssl.bat.
      
      Because MS calls it VC14.1.
      
      Closes https://github.com/curl/curl/pull/2189
      222de37f
    • Kees Dekker's avatar
      winbuild: make the clean target work without build-type · 85850265
      Kees Dekker authored
      Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
      be invoked unless a build-type was specified. However, a clean target
      only existed when a build type was specified. As a result, the clean
      target was unreachable. Made clean target unconditional.
      
      Closes #2455
      85850265
    • patelvivekv1993's avatar
      build-openssl.bat: allow custom paths for VS and perl · a65a75e9
      patelvivekv1993 authored
      Fixes #2430
      Closes #2457
      a65a75e9
    • Laurie Clark-Michalek's avatar
      FTP: allow PASV on IPv6 connections when a proxy is being used · 5f3938bc
      Laurie Clark-Michalek authored
      In the situation of a client connecting to an FTP server using an IPv6
      tunnel proxy, the connection info will indicate that the connection is
      IPv6. However, because the server behing the proxy is IPv4, it is
      permissable to attempt PSV mode. In the case of the FTP server being
      IPv4 only, EPSV will always fail, and with the current logic curl will
      be unable to connect to the server, as the IPv6 fwdproxy causes curl to
      think that EPSV is impossible.
      
      Closes #2432
      5f3938bc
    • Jon DeVree's avatar
      file: restore old behavior for file:////foo/bar URLs · 695e96b3
      Jon DeVree authored
      curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
      8089 but then returns an error saying this is unimplemented. This is
      actually a regression in behavior on both Windows and Unix.
      
      Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
      then passed to the relevant OS API. This means that the behavior of this
      case is actually OS dependent.
      
      The Unix path resolution rules say that the OS must handle swallowing
      the extra "/" and so this path is the same as "/foo/bar"
      
      The Windows path resolution rules say that this is a UNC path and
      automatically handles the SMB access for the program. So curl on Windows
      was already doing Appendix E.3.2 without any special code in curl.
      
      Regression
      
      Closes #2438
      695e96b3
    • Gaurav Malhotra's avatar
      Revert "openssl: Don't add verify locations when verifypeer==0" · 2536e245
      Gaurav Malhotra authored
      This reverts commit dc854377.
      
      libcurl (with the OpenSSL backend) performs server certificate verification
      even if verifypeer == 0 and the verification result is available using
      CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
      CURLINFO_SSL_VERIFYRESULT to not have useful information for the
      verifypeer == 0 use case (it would always have
      X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
      
      Closes #2451
      2536e245