TLS False Start support requires iOS 7.0 or later, or OS X 10.9 or later.

Coverity CID 1291167 pointed out that 'rc' was received but never used when
gnutls_credentials_set() was used. Added return code check now.

Coverity CID 1291165 pointed out 'chainp' could be dereferenced when
NULL if gnutls_certificate_get_peers() had previously failed.

Coverity CID 1291166 pointed out that we could read this variable
uninitialized.

This option can be used to enable/disable TLS False Start defined in the RFC
draft-bmoeller-tls-falsestart.

... if disabled at libcurl level.  Otherwise, we would allow to
negotiate NPN despite curl was invoked with the --no-npn option.

The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is therefore not needed that a function caller
repeats a corresponding check.
http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first



This issue was fixed by using the software Coccinelle 1.0.0-rc24.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>

While the previous string worked, this is the documented format.

Reported-by: Richard Moore

This makes curl pick better (stronger) ciphers by default. The strongest
available ciphers are fine according to the HTTP/2 spec so an OpenSSL
built curl is no longer rejected by string HTTP/2 servers.

Bug: http://curl.haxx.se/bug/view.cgi?id=1487

Instead of priting cipher and MAC algorithms names separately, print the
whole cipher suite string which also includes the key exchange algorithm,
along with the negotiated TLS version.

Since they already exist and will make comparing easier

SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.

No need to use _MPRINTF_REPLACE internally.

In that case, we only skip writing the error message for failed NSS
initialization (while still returning the correct error code).

The vtls layer now checks the return value, so it is no longer necessary
to abort if a random number cannot be provided by NSS.  This also fixes
the following Coverity report:

Error: FORWARD_NULL (CWE-476):
lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null.
lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it.
lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".

Correctly check for memcmp() return value (it returns 0 if the strings match).

This is not really important, since curl is going to use http/1.1 anyway, but
it's still a bug I guess.

Correctly check for strncmp() return value (it returns 0 if the strings
match).

lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive

For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.

Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.