Commit Graph

1281 Commits

Author SHA1 Message Date
Okhin Vasilij
c6da05a5ec HTTPS-proxy: fixed mbedtls and polishing 2016-11-24 23:41:45 +01:00
Alex Rousskov
cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00
Kamil Dudka
cfd69c1339 docs: the next release will be 7.52.0 2016-11-15 12:21:00 +01:00
Daniel Stenberg
c2bc47ddb8 curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
Reported-by: Frank Gevaerts
2016-11-08 15:28:04 +01:00
Kamil Dudka
6ad3add606 vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro
2016-11-07 11:52:07 +01:00
Daniel Stenberg
53e71e47d6 unescape: avoid integer overflow
CVE-2016-8622

Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Jay Satiro
568037f6af CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
- Clarify that this option is only for HTTP/1.1 pipelining.

Bug: https://github.com/curl/curl/issues/1059
Reported-by: Jeroen Ooms

Assisted-by: Daniel Stenberg
2016-10-27 23:15:41 -04:00
Daniel Stenberg
0f1996321f s/cURL/curl
The tool was never called cURL, only the project. But even so, we have
more and more over time switched to just use lower case.
2016-10-18 13:59:54 +02:00
Daniel Stenberg
358fd32820 dist: remove PDF and HTML converted docs from the releases 2016-10-10 23:33:13 +02:00
Rainer Müller
c271b1c29a CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
The 'userp' argument is unused in this example code.
2016-10-06 08:06:13 +02:00
Daniel Stenberg
15aefc6adc CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added 2016-10-04 23:46:45 +02:00
Michael Kaufmann
e9e5366193 New libcurl option to keep sending on error
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
sending the request body shall be completed when the server responds
early with an error status code.

This is suitable for manual NTLM authentication.

Reviewed-by: Jay Satiro

Closes https://github.com/curl/curl/pull/904
2016-09-22 22:22:31 +02:00
Jay Satiro
36e53ec6ff docs: Remove that --proto is just used for initial retrieval
.. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
override protocols denied by --proto and CURLOPT_PROTOCOLS.

- Add a test to enforce: --proto deny must override --proto-redir allow

Closes https://github.com/curl/curl/pull/1031
2016-09-21 17:23:24 -04:00
Daniel Stenberg
aab94da619 curl_global_cleanup.3: don't unload the lib with sub threads running
Discussed in #997

Assisted-by: Jay Satiro
2016-09-20 23:00:52 +02:00
Jay Satiro
6ee9ea5e70 CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting 2016-09-18 17:56:35 -04:00
Jay Satiro
af2d679e14 errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
more of a generic "failed to parse" introduce an alias without FTP in
the name.

Closes https://github.com/curl/curl/pull/975
2016-09-07 21:24:27 -04:00
Olivier Brunel
4b86113f5e speed caps: not based on average speeds anymore
Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
with the cumulative average speed of the entire transfer; While this
might work at times with good/constant connections, in other cases it
can result to the limits simply being "ignored" for more than "short
bursts" (as told in man page).

Consider a download that goes on much slower than the limit for some
time (because bandwidth is used elsewhere, server is slow, whatever the
reason), then once things get better, curl would simply ignore the limit
up until the average speed (since the beginning of the transfer) reached
the limit.  This could prove the limit useless to effectively avoid
using the entire bandwidth (at least for quite some time).

So instead, we now use a "moving starting point" as reference, and every
time at least as much as the limit as been transferred, we can reset
this starting point to the current position. This gets a good limiting
effect that applies to the "current speed" with instant reactivity (in
case of sudden speed burst).

Closes #971
2016-09-04 13:11:23 +02:00
Daniel Stenberg
4c44155cfe CURLMOPT_PIPELINING.3: language 2016-09-01 14:09:21 +02:00
Daniel Stenberg
a409b4b466 CURLMOPT_PIPELINING.3: extended and clarified
Especially in regards to the multiplexing part.
2016-09-01 14:08:01 +02:00
Nick Zitzmann
e171968ba3 darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
2016-08-28 16:46:59 -05:00
Daniel Stenberg
2497c42172 CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex 2016-08-19 09:40:40 +02:00
Daniel Stenberg
84e45f4b3a CURLOPT_PROXY.3: unsupported schemes cause errors now
Follow-up to a96319ebb9 (document the new behavior)
2016-08-15 14:49:26 +02:00
Daniel Stenberg
85e63bcfc7 symbols-in-versions: add CURL_STRICTER
Added in 5fce88aa8c
2016-08-09 21:34:47 +02:00
Daniel Stenberg
4732ca5724 CURLOPT_TCP_NODELAY: now enabled by default
After a few wasted hours hunting down the reason for slowness during a
TLS handshake that turned out to be because of TCP_NODELAY not being
set, I think we have enough motivation to toggle the default for this
option. We now enable TCP_NODELAY by default and allow applications to
switch it off.

This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
used to disable it.

Thanks-to: Tim Rühsen
Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
2016-08-05 00:12:57 +02:00
Kamil Dudka
8b9ba132f0 docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too 2016-07-21 13:06:17 +02:00
Timothy Polich
16fe3f6b0a CURLMOPT_SOCKETFUNCTION.3: fix typo
Closes https://github.com/curl/curl/pull/914
2016-07-14 02:58:59 -04:00
Daniel Stenberg
306192ba55 curl_global_init.3: improved formatting of the flags 2016-06-29 16:00:46 +02:00
Daniel Stenberg
bbd99a277b curl_global_init.3: expand on the SSL and WIN32 bits purpose
Reported-by: Richard Gray
Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
2016-06-29 15:57:44 +02:00
Jay Satiro
f77dfbc5fb CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
zero-byte POST. Prior to this change it was documented as sending data
from the read callback.

This also changes the wording of what happens when empty or NULL so that
it's hopefully easier to understand for people whose primary language
isn't English.

Bug: https://github.com/curl/curl/issues/862
Reported-by: Askar Safin
2016-06-11 17:33:16 -04:00
Michael Wallner
929520582c curl_multi_socket_action.3: Fix rewording
- Remove some erroneous text.

Closes https://github.com/curl/curl/pull/865
2016-06-09 02:10:22 -04:00
Benjamin Kircher
873b4346ba libcurl-multi.3: fix small typo
Closes #850
2016-06-01 23:04:16 +02:00
Andrew Kurushin
6cabd78531 schannel: add CURLOPT_CERTINFO support
Closes #822
2016-06-01 08:50:01 +02:00
Frank Gevaerts
071c561394 http: add CURLINFO_HTTP_VERSION and %{http_version}
Adds access to the effectively used http version to both libcurl and
curl.

Closes #799
2016-05-30 22:58:51 +02:00
Jay Satiro
694c2dce25 curl_share_setopt.3: Add min ver needed for ssl session lock
Bug: https://github.com/curl/curl/issues/826
Reported-by: Michael Wallner
2016-05-29 16:27:44 -04:00
Alexander Traud
fd8d2a0f63 libcurl.m4: Avoid obsolete warning
Closes #821
2016-05-20 16:05:39 +02:00
Michael Kaufmann
53ae37088c CURLOPT_CONNECT_TO.3: user must not free the list prematurely
The connect-to list isn't copied so as long as the handle may be used
for a transfer the list must be valid.

Bug: https://github.com/curl/curl/pull/819
Reported-by: Michael Kaufmann
2016-05-20 00:14:38 -04:00
Jay Satiro
194b97b390 dist: include curl_multi_socket_all.3
Closes https://github.com/curl/curl/pull/816
2016-05-19 03:13:07 -04:00
Frank Gevaerts
5db313985e CURLOPT_RESOLVE.3: fix typo
Closes #811
2016-05-17 14:28:12 +02:00
Daniel Stenberg
ab5a68937b docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE 2016-05-17 13:17:07 +02:00
Daniel Stenberg
d415bdb883 CURLOPT_HTTPPOST.3: the data needs to be around while in use 2016-05-17 11:08:10 +02:00
Jay Satiro
e1372418cd libcurl-tlibcurl-thread: Update OpenSSL links
Because the old OpenSSL link now redirects to their master documentation
(currently 1.1.0), which does not document the required actions for
OpenSSL <= 1.0.2.
2016-05-13 16:01:35 -04:00
Daniel Stenberg
5bf5f6ebfc libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl 2016-05-08 15:48:26 +02:00
Daniel Stenberg
dac8ce9558 docs: unified man page references to use \fI 2016-05-02 09:09:59 +02:00
Isaac Boukris
7987f5cb14 CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
Mention possible content-length mismatch with sum of bytes reported
by write callbacks when auto decoding is enabled.

See #785
2016-05-01 23:27:01 +02:00
Daniel Stenberg
6485d4ee9d CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference 2016-05-01 23:24:09 +02:00
Daniel Stenberg
ea8694da41 CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE 2016-05-01 23:24:09 +02:00
Daniel Stenberg
ce7aa90ade curl_easy_pause.3: fix man page reference 2016-05-01 23:24:09 +02:00
Daniel Stenberg
aba4727533 opts: fix broken/bad references 2016-05-01 16:41:04 +02:00
Michael Kaufmann
6940f4b52a docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
Closes #786
2016-05-01 13:32:49 +02:00
Daniel Stenberg
ffd0e6193f CURLOPT_ACCEPT_ENCODING.3: clarified
As discussed in #785
2016-05-01 13:29:11 +02:00