Skip to content
  1. Nov 24, 2016
    • Alex Rousskov's avatar
      proxy: Support HTTPS proxy and SOCKS+HTTP(s) · cb4e2be7
      Alex Rousskov authored
      * HTTPS proxies:
      
      An HTTPS proxy receives all transactions over an SSL/TLS connection.
      Once a secure connection with the proxy is established, the user agent
      uses the proxy as usual, including sending CONNECT requests to instruct
      the proxy to establish a [usually secure] TCP tunnel with an origin
      server. HTTPS proxies protect nearly all aspects of user-proxy
      communications as opposed to HTTP proxies that receive all requests
      (including CONNECT requests) in vulnerable clear text.
      
      With HTTPS proxies, it is possible to have two concurrent _nested_
      SSL/TLS sessions: the "outer" one between the user agent and the proxy
      and the "inner" one between the user agent and the origin server
      (through the proxy). This change adds supports for such nested sessions
      as well.
      
      A secure connection with a proxy requires its own set of the usual SSL
      options (their actual descriptions differ and need polishing, see TODO):
      
        --proxy-cacert FILE        CA certificate to verify peer against
        --proxy-capath DIR         CA directory to verify peer against
        --proxy-cert CERT[:PASSWD] Client certificate file and password
        --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
        --proxy-ciphers LIST       SSL ciphers to use
        --proxy-crlfile FILE       Get a CRL list in PEM format from the file
        --proxy-insecure           Allow connections to proxies with bad certs
        --proxy-key KEY            Private key file name
        --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
        --proxy-pass PASS          Pass phrase for the private key
        --proxy-ssl-allow-beast    Allow security flaw to improve interop
        --proxy-sslv2              Use SSLv2
        --proxy-sslv3              Use SSLv3
        --proxy-tlsv1              Use TLSv1
        --proxy-tlsuser USER       TLS username
        --proxy-tlspassword STRING TLS password
        --proxy-tlsauthtype STRING TLS authentication type (default SRP)
      
      All --proxy-foo options are independent from their --foo counterparts,
      except --proxy-crlfile which defaults to --crlfile and --proxy-capath
      which defaults to --capath.
      
      Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
      similar to the existing %{ssl_verify_result} variable.
      
      Supported backends: OpenSSL, GnuTLS, and NSS.
      
      * A SOCKS proxy + HTTP/HTTPS proxy combination:
      
      If both --socks* and --proxy options are given, Curl first connects to
      the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
      proxy.
      
      TODO: Update documentation for the new APIs and --proxy-* options.
      Look for "Added in 7.XXX" marks.
      cb4e2be7
  2. Nov 18, 2016
    • Marcel Raad's avatar
      lib: fix compiler warnings after de4de4e3 · 21aa32d3
      Marcel Raad authored
      Visual C++ now complains about implicitly casting time_t (64-bit) to
      long (32-bit). Fix this by changing some variables from long to time_t,
      or explicitly casting to long where the public interface would be
      affected.
      
      Closes #1131
      21aa32d3
  3. Oct 18, 2016
    • Daniel Stenberg's avatar
      select: switch to macros in uppercase · 8a6e89a9
      Daniel Stenberg authored
      Curl_select_ready() was the former API that was replaced with
      Curl_select_check() a while back and the former arg setup was provided
      with a define (in order to leave existing code unmodified).
      
      Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
      common shortcuts where only one socket is checked. They're also more
      visibly macros.
      8a6e89a9
  4. Oct 16, 2016
  5. Aug 30, 2016
  6. Aug 28, 2016
  7. Aug 21, 2016
  8. Jul 20, 2016
  9. Jun 22, 2016
  10. Jun 04, 2016
  11. May 08, 2016
    • Antonio Larrosa's avatar
      connect: fix invalid "Network is unreachable" errors · ae8f6620
      Antonio Larrosa authored
      Sometimes, in systems with both ipv4 and ipv6 addresses but where the
      network doesn't support ipv6, Curl_is_connected returns an error
      (intermittently) even if the ipv4 socket connects successfully.
      
      This happens because there's a for-loop that iterates on the sockets but
      the error variable is not resetted when the ipv4 is checked and is ok.
      
      This patch fixes this problem by setting error to 0 when checking the
      second socket and not having a result yet.
      
      Fixes #794
      ae8f6620
  12. Apr 29, 2016
    • Daniel Stenberg's avatar
      lib: include curl_printf.h as one of the last headers · 4f45240b
      Daniel Stenberg authored
      curl_printf.h defines printf to curl_mprintf, etc. This can cause
      problems with external headers which may use
      __attribute__((format(printf, ...))) markers etc.
      
      To avoid that they cause problems with system includes, we include
      curl_printf.h after any system headers. That makes the three last
      headers to always be, and we keep them in this order:
      
       curl_printf.h
       curl_memory.h
       memdebug.h
      
      None of them include system headers, they all do funny #defines.
      
      Reported-by: David Benjamin
      
      Fixes #743
      4f45240b
  13. Apr 19, 2016
  14. Apr 18, 2016
  15. Apr 17, 2016
  16. Mar 20, 2016
  17. Feb 04, 2016
  18. Feb 02, 2016
  19. Nov 16, 2015
  20. Sep 27, 2015
  21. Sep 26, 2015
  22. Aug 01, 2015
    • Steve Holme's avatar
      win32: Fix compilation warnings from commit 40c921f8 · 11ab3f89
      Steve Holme authored
      connect.c:953:5: warning: initializer element is not computable at load
                       time
      connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
                       of 'OSVERSIONINFOEX'
      curl_sspi.c:97:5: warning: initializer element is not computable at load
                        time
      curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
                        of 'OSVERSIONINFOEX'
      11ab3f89
  23. Jul 22, 2015
  24. Jun 08, 2015
  25. May 12, 2015
  26. Mar 24, 2015
  27. Mar 23, 2015
  28. Mar 17, 2015
  29. Mar 16, 2015
    • Jay Satiro's avatar
      connect: Fix happy eyeballs logic for IPv4-only builds · 059b3a57
      Jay Satiro authored
      Bug: https://github.com/bagder/curl/pull/168
      
      (trynextip)
      - Don't try the "other" protocol family unless IPv6 is available. In an
      IPv4-only build the other family can only be IPv6 which is unavailable.
      
      This change essentially stops IPv4-only builds from attempting the
      "happy eyeballs" secondary parallel connection that is supposed to be
      used by the "other" address family.
      
      Prior to this change in IPv4-only builds that secondary parallel
      connection attempt could be erroneously used by the same family (IPv4)
      which caused a bug where every address after the first for a host could
      be tried twice, often in parallel. This change fixes that bug. An
      example of the bug is shown below.
      
      Assume MTEST resolves to 3 addresses 127.0.0.2, 127.0.0.3 and 127.0.0.4:
      
      * STATE: INIT => CONNECT handle 0x64f4b0; line 1046 (connection #-5000)
      * Rebuilt URL to: http://MTEST/
      * Added connection 0. The cache now contains 1 members
      * STATE: CONNECT => WAITRESOLVE handle 0x64f4b0; line 1083
      (connection #0)
      *   Trying 127.0.0.2...
      * STATE: WAITRESOLVE => WAITCONNECT handle 0x64f4b0; line 1163
      (connection #0)
      *   Trying 127.0.0.3...
      * connect to 127.0.0.2 port 80 failed: Connection refused
      *   Trying 127.0.0.3...
      * connect to 127.0.0.3 port 80 failed: Connection refused
      *   Trying 127.0.0.4...
      * connect to 127.0.0.3 port 80 failed: Connection refused
      *   Trying 127.0.0.4...
      * connect to 127.0.0.4 port 80 failed: Connection refused
      * connect to 127.0.0.4 port 80 failed: Connection refused
      * Failed to connect to MTEST port 80: Connection refused
      * Closing connection 0
      * The cache now contains 0 members
      * Expire cleared
      curl: (7) Failed to connect to MTEST port 80: Connection refused
      
      The bug was born in commit bagder/curl@2d435c7.
      059b3a57
  30. Mar 15, 2015
  31. Mar 07, 2015
  32. Mar 03, 2015
  33. Feb 23, 2015
  34. Jan 20, 2015
  35. Dec 27, 2014
  36. Dec 16, 2014
    • Patrick Monnerat's avatar
      IPV6: address scope != scope id · 9081014c
      Patrick Monnerat authored
      There was a confusion between these: this commit tries to disambiguate them.
      - Scope can be computed from the address itself.
      - Scope id is scope dependent: it is currently defined as 1-based local
        interface index for link-local scoped addresses, and as a site index(?) for
        (obsolete) site-local addresses. Linux only supports it for link-local
        addresses.
      The URL parser properly parses a scope id as an interface index, but stores it
      in a field named "scope": confusion. The field has been renamed into "scope_id".
      Curl_if2ip() used the scope id as it was a scope. This caused failures
      to bind to an interface.
      Scope is now computed from the addresses and Curl_if2ip() matches them.
      If redundantly specified in the URL, scope id is check for mismatch with
      the interface index.
      
      This commit should fix SF bug #1451.
      9081014c
    • Patrick Monnerat's avatar