Skip to content
  1. Nov 06, 2012
    • Daniel Stenberg's avatar
      CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value · da82f59b
      Daniel Stenberg authored
      After a research team wrote a document[1] that found several live source
      codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST
      option thinking it was a boolean, this change now bans 1 as a value and
      will make libcurl return error for it.
      
      1 was never a sensible value to use in production but was introduced
      back in the days to help debugging. It was always documented clearly
      this way.
      
      1 was never supported by all SSL backends in libcurl, so this cleanup
      makes the treatment of it unified.
      
      The report's list of mistakes for this option were all PHP code and
      while there's a binding layer between libcurl and PHP, the PHP team has
      decided that they have an as thin layer as possible on top of libcurl so
      they will not alter or specifically filter a 'TRUE' value for this
      particular option. I sympathize with that position.
      
      [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
      da82f59b
  2. Sep 11, 2012
  3. Aug 10, 2012
  4. Aug 09, 2012
  5. Jun 28, 2012
  6. Jun 26, 2012
  7. May 28, 2012
  8. May 25, 2012
  9. Apr 16, 2012
  10. Apr 13, 2012
  11. Feb 09, 2012
  12. Oct 17, 2011
  13. Sep 03, 2011
  14. Aug 15, 2011
  15. Jul 26, 2011
  16. Apr 27, 2011
  17. Apr 19, 2011
  18. Apr 08, 2011
  19. Apr 04, 2011
  20. Mar 15, 2011
    • Kamil Dudka's avatar
      nss: do not ignore value of CURLOPT_SSL_VERIFYPEER · 806dbb02
      Kamil Dudka authored
      When NSS-powered libcurl connected to a SSL server with
      CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer
      certificate was accepted by libcurl and did not ask the second time when
      connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one.
      
      This patch turns off the SSL session cache for the particular SSL socket
      if peer verification is disabled.  In order to avoid any performance
      impact, the peer verification is completely skipped in that case, which
      makes it even faster than before.
      
      Bug: https://bugzilla.redhat.com/678580
      806dbb02
  21. Feb 22, 2011
  22. Feb 17, 2011
  23. Feb 16, 2011
  24. Jan 27, 2011
  25. Jan 18, 2011
  26. Jan 04, 2011
  27. Jan 02, 2011
  28. Jun 30, 2010
    • Kamil Dudka's avatar
      http_ntlm: add support for NSS · f3b77e56
      Kamil Dudka authored
      When configured with '--without-ssl --with-nss', NTLM authentication
      now uses NSS crypto library for MD5 and DES.  For MD4 we have a local
      implementation in that case.  More details are available at
      https://bugzilla.redhat.com/603783
      
      In order to get it working, curl_global_init() must be called with
      CURL_GLOBAL_SSL or CURL_GLOBAL_ALL.  That's necessary because NSS needs
      to be initialized globally and we do so only when the NSS library is
      actually required by protocol.  The mentioned call of curl_global_init()
      is responsible for creating of the initialization mutex.
      
      There was also slightly changed the NSS initialization scenario, in
      particular, loading of the NSS PEM module.  It used to be loaded always
      right after the NSS library was initialized.  Now the library is
      initialized as soon as any SSL or NTLM is required, while the PEM module
      is prevented from being loaded until the SSL is actually required.
      f3b77e56
  29. May 11, 2010