Skip to content
  1. Dec 14, 2012
  3. Dec 03, 2012
    • Kamil Dudka's avatar
      nss: prevent NSS from crashing on client auth hook failure · 68d2830e
      Kamil Dudka authored 
      Although it is not explicitly stated in the documentation, NSS uses
*pRetCert and *pRetKey even if the client authentication hook returns
a failure.  Namely, if we destroy *pRetCert without clearing *pRetCert
afterwards, NSS destroys the certificate once again, which causes a
double free.

Reported by: Bob Relyea
      68d2830e
  5. Nov 06, 2012
    • Daniel Stenberg's avatar
      CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value · da82f59b
      Daniel Stenberg authored 
      After a research team wrote a document[1] that found several live source
codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST
option thinking it was a boolean, this change now bans 1 as a value and
will make libcurl return error for it.

1 was never a sensible value to use in production but was introduced
back in the days to help debugging. It was always documented clearly
this way.

1 was never supported by all SSL backends in libcurl, so this cleanup
makes the treatment of it unified.

The report's list of mistakes for this option were all PHP code and
while there's a binding layer between libcurl and PHP, the PHP team has
decided that they have an as thin layer as possible on top of libcurl so
they will not alter or specifically filter a 'TRUE' value for this
particular option. I sympathize with that position.

[1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
      da82f59b
  7. Sep 11, 2012
  9. Aug 10, 2012
  11. Aug 09, 2012
  13. Jun 28, 2012
  15. Jun 26, 2012
  17. May 28, 2012
  19. May 25, 2012
  21. Apr 16, 2012
  23. Apr 13, 2012
  25. Feb 09, 2012
  27. Oct 17, 2011
  29. Sep 03, 2011
  31. Aug 15, 2011
  33. Jul 26, 2011
  35. Apr 27, 2011
  37. Apr 19, 2011
  39. Apr 08, 2011
  41. Apr 04, 2011
  43. Mar 15, 2011
    • Kamil Dudka's avatar
      nss: do not ignore value of CURLOPT_SSL_VERIFYPEER · 806dbb02
      Kamil Dudka authored 
      When NSS-powered libcurl connected to a SSL server with
CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer
certificate was accepted by libcurl and did not ask the second time when
connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one.

This patch turns off the SSL session cache for the particular SSL socket
if peer verification is disabled.  In order to avoid any performance
impact, the peer verification is completely skipped in that case, which
makes it even faster than before.

Bug: https://bugzilla.redhat.com/678580
      806dbb02
  45. Feb 22, 2011
  47. Feb 17, 2011
  49. Feb 16, 2011
  51. Jan 27, 2011
  53. Jan 18, 2011
  55. Jan 04, 2011
  57. Jan 02, 2011
  59. Jun 30, 2010
    • Kamil Dudka's avatar
      http_ntlm: add support for NSS · f3b77e56
      Kamil Dudka authored 
      When configured with '--without-ssl --with-nss', NTLM authentication
now uses NSS crypto library for MD5 and DES.  For MD4 we have a local
implementation in that case.  More details are available at
https://bugzilla.redhat.com/603783

In order to get it working, curl_global_init() must be called with
CURL_GLOBAL_SSL or CURL_GLOBAL_ALL.  That's necessary because NSS needs
to be initialized globally and we do so only when the NSS library is
actually required by protocol.  The mentioned call of curl_global_init()
is responsible for creating of the initialization mutex.

There was also slightly changed the NSS initialization scenario, in
particular, loading of the NSS PEM module.  It used to be loaded always
right after the NSS library was initialized.  Now the library is
initialized as soon as any SSL or NTLM is required, while the PEM module
is prevented from being loaded until the SSL is actually required.
      f3b77e56
  61. May 11, 2010