- reverse order of haproxy and final ssl cfilter
- make haproxy avaiable on PROXY builds, independent of HTTP support as
it can be used with any protocol.
Reported-by: Sergio-IME on github
Fixes#10165Closes#10167
Fix the defaults for `WOLFSSL_PATH` and `MBEDTLS_PATH` to have
meaningful values instead of the copy-pasted wrong ones.
Ref: 66e68ca47f (r94275172)
Reported-by: Ryan Schmidt
Closes#10164
Because this is the cmake version (released in November 2016) that
introduced GREATER_EQUAL, which is used already.
Reported-by: nick-telia on github
Fixes#10128Closes#10161
When there are filters addded for both socket and SSL, the code
previously checked the SSL sockets during connect when it *should* first
check the socket layer until that has connected.
Fixes#10157Fixes#10146Closes#10160
Reviewed-by: Stefan Eissing
As is supported by recent libssh2, but should just be ignored by older
versions.
Reported-by: norbertmm on github
Assisted-by: norbertmm on github
Fixes#10143Closes#10145
As expressions can have side effects, evaluate only once.
To enable deprecation reporting only once, get rid of the __typeof__
use to define the local temporary variable and use the target type
(CURLoption/CURLINFO). This also avoids multiple reports on type
conflicts (if some) by the curlcheck_* macros.
Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
their values: a curl_easy_setopt call with an integer constant as option
will never report a deprecation.
Reported-by: Thomas Klausner
Fixes#10148Closes#10149
The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RHEL-9 and derivatives, which are not willing to use certificates using
that algorithm. The fix is to use sha256 instead, which is already used
for most of the other certificates in the test suite.
Fixes#10135
This gets rid of issues related to sha1 signatures.
Manual steps after "make clean-certs" and "make build-certs":
- Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
(make clean-certs does not remove the original tests/stunnel.pem)
- Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
options of tests/data/test2041 and tests/data/test2087
Closes#10153
I haven't had the time to check other configurations, but on my macOS
Ventura 13.1 with XCode 14.2 cmake does not find `snprintf`.
Solution: ensure stdio.h is checked for definitions
Closes#10155
The message "Mark bundle as not supporting multiuse" was added at commit
29364d93 when an http/2-related bug was fixed, and it appears to be a
leftover trace message.
This message should be removed because:
* it conveys no information to the user
* it is enabled in the default build (--enable-verbose)
* it reads like a warning/unexpected condition
* it is equivalent to "Detected http proto < 2", which is
not a useful message.
* it is a time-wasting red-herring for anyone who encounters
it for the first time while investigating some other, real
problem.
This commit removes the trace message "Mark bundle as not
supporting multiuse"
Closes#10159
- source_quote, source_prequote and source_postquote have not been used since
5e0d9aea3; September 2006
- make several fields conditional on proxy support
- make three quote struct fields conditional on FTP || SSH
- make 'mime_options' depend on MIME
- make trailer_* fields depend on HTTP
- change 'gssapi_delegation' from long to unsigned char
- make 'localportrange' unsigned short instead of int
- conn->trailer now depends on HTTP
Closes#10147
The cookiefile entries are set into the handle and should remain set for
the lifetime of the handle so that duplicating it also duplicates the
list. Therefore, the struct field is moved from 'state' to 'set'.
Fixes#10133Closes#10134
When checking if there is a "secure context", which it is if the
connection is to localhost even if the protocol is HTTP, the comparison
for ::1 was done incorrectly and included brackets.
Reported-by: BratSinot on github
Fixes#10120Closes#10121
Otherwise it stores the info HSTS into the persistent cache for the IDN
name which will not match when the HSTS status is later checked for
using the decoded name.
Reported-by: Hiroki Kurosawa
Closes#10111
