- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
--ssl-revoke-best-effort to allow a "best effort" revocation check.
A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.
---
When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:
Unknown error (0x80092012) - The revocation function was unable
to check revocation for the certificate.
Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.
This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.
In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.
Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).
To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.
Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.
The test 2070 was added to verify this behavior, adapted from 310.
Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes https://github.com/curl/curl/pull/4981
Daniel Stenberg [Sat, 8 Feb 2020 23:04:05 +0000 (00:04 +0100)]
test 970: verify --write-out '%{json}'
Makes curl_easy_getinfo() of "variable" numerical content instead return
the number set in the env variable `CURL_TIME`.
Makes curl_version() of "variable" textual content. This guarantees a
stable version string which can be tested against. Environment variable
`CURL_VERSION` defines the content.
Daniel Stenberg [Mon, 16 Mar 2020 08:33:27 +0000 (09:33 +0100)]
tool_operate: fix add_parallel_transfers when more are in queue
Trying to return early from the function if no new transfers were added
would break the "morep" argument and cause issues. This could lead to
zero content "transfers" (within quotes since they would never be
started) when parallel-max was reduced.
Reported-by: Gavin Wong Analyzed-by: Jay Satiro
Fixes #4937
Closes #5112
Daniel Stenberg [Tue, 10 Mar 2020 21:31:47 +0000 (22:31 +0100)]
transfer: cap retries of "dead connections" to 5
When libcurl retries a connection due to it being "seemingly dead" or by
REFUSED_STREAM, it will now only do it up five times before giving up,
to avoid never-ending loops.
Marc Hoersken [Sun, 15 Mar 2020 09:01:38 +0000 (10:01 +0100)]
tests: remove python_dependencies for smbserver from our tree
Users of the SMB tests will have to install impacket manually.
Reasoning: our in-tree version of impacket was quite outdated
and only compatible with Python 2 which is already end-of-life.
Upgrading to Python 3 and a compatible impacket version would
require to import additional Python-only and CPython-extension
dependencies. This would have hindered portability enormously.
Jay Satiro [Sat, 14 Mar 2020 06:19:04 +0000 (02:19 -0400)]
easy: Fix curl_easy_duphandle for builds missing IPv6 that use c-ares
- Ignore CURLE_NOT_BUILT_IN errors returned by c-ares functions in
curl_easy_duphandle.
Prior to this change if c-ares was used as the resolver backend and
either it was too old or libcurl was built without IPv6 support then
some of our resolver functions could return CURLE_NOT_BUILT_IN to
curl_easy_duphandle causing it to fail.
Daniel Stenberg [Tue, 10 Mar 2020 16:47:44 +0000 (17:47 +0100)]
server/getpart: make the "XML-parser" stricter
When extracting a <section> <part> and there's no </part> before
</section>, this now outputs an error and returns a wrong string to
make users spot the mistake.
In bmake, if the directory is changed (with cd or anything else), bmake
won't return to the "root directory" on the next command (in the same
Makefile rule). This commit runs the cd command in a subshell so it
would work in bmake.
Daniel Stenberg [Tue, 10 Mar 2020 12:55:44 +0000 (13:55 +0100)]
configure: fix -pedantic-errors for GCC 5 and later
If --enable-werror is used.
Follow-up to d5c0351055d5709da which added it too early in the configure
script before $compiler_num was set correctly and thus this option was
never used.
Daniel Stenberg [Tue, 10 Mar 2020 13:37:43 +0000 (14:37 +0100)]
configure: document 'compiler_num' for gcc
The CURL_CHECK_COMPILER_GNU_C function sets the number to MAJOR*100 +
MINOR and ignores the patch version, and since gcc version 7 it only
sets it to MAJOR*100.
Patrick Monnerat [Tue, 28 Jan 2020 10:56:41 +0000 (11:56 +0100)]
silly web server: silent a compilation warning
Recent gcc warns when byte count of strncpy() equals the destination
buffer size. Since the destination buffer is previously cleared and
the source string is always shorter, reducing the byte count by one
silents the warning without affecting the result.
Daniel Stenberg [Sat, 7 Mar 2020 12:37:50 +0000 (13:37 +0100)]
lib1564: reduce number of mid-wait wakeup calls
This test does A LOT of *wakeup() calls and then calls curl_multi_poll()
twice. The first *poll() is then expected to return early and the second
not - as the first is supposed to drain the socketpair pipe.
It turns out however that when given "excessive" amounts of writes to
the pipe, some operating systems (the Solaris based are known) will
return EAGAIN before the pipe is drained, which in our test case causes
the second *poll() call to also abort early.
This change attempts to avoid the OS-specific behaviors in the test by
reducing the amount of wakeup calls from 1234567 to 10.
Reported-by: Andy Fiddaman
Fixes #5037
Closes #5058
Input buffer filling may delay the data sending if data reads are slow.
To overcome this problem, file and callback data reads do not accumulate
in buffer anymore. All other data (memory data and mime framing) are
considered as fast and still concatenated in buffer.
As this may highly impact performance in terms of data overhead, an early
end of part data check is added to spare a read call.
When encoding a part's data, an encoder may require more bytes than made
available by a single read. In this case, the above rule does not apply
and reads are performed until the encoder is able to deliver some data.
Tests 643, 644, 645, 650 and 654 have been adapted to the output data
changes, with test data size reduced to avoid the boredom of long lists of
1-byte chunks in verification data.
New test 667 checks mimepost using single-byte read callback with encoder.
New test 668 checks the end of part data early detection.
In case a read callback returns a status (pause, abort, eof,
error) instead of a byte count, drain the bytes read so far but
remember this status for further processing.
Takes care of not losing data when pausing, and properly resume a
paused mime structure when requested.
New tests 670-673 check unpausing cases, with easy or multi
interface and mime or form api.
Jay Satiro [Sun, 23 Feb 2020 23:37:09 +0000 (18:37 -0500)]
libssh: Fix matching user-specified MD5 hex key
Prior to this change a match would never be successful because it
was mistakenly coded to compare binary data from libssh to a
user-specified hex string (ie CURLOPT_SSH_HOST_PUBLIC_KEY_MD5).
Jay Satiro [Fri, 6 Mar 2020 04:35:32 +0000 (23:35 -0500)]
multi: skip EINTR check on wakeup socket if it was closed
- Don't check errno on wakeup socket if sread returned 0 since sread
doesn't set errno in that case.
This is a follow-up to cf7760a from several days ago which fixed
Curl_multi_wait to stop busy looping sread on the non-blocking wakeup
socket if it was closed (ie sread returns 0). Due to a logic error it
was still possible to busy loop in that case if errno == EINTR.
Jay Satiro [Tue, 3 Mar 2020 05:25:44 +0000 (00:25 -0500)]
cmake: Show HTTPS-proxy in the features output
- Show HTTPS-proxy in the features output for those backends that
support it: OpenSSL, GnuTLS and NSS.
Prior to this change HTTPS-proxy was missing from the cmake features
output even if curl was built with it. Only cmake output was affected.
Both the library and tool correctly reported the feature.
Bug: https://curl.haxx.se/mail/lib-2020-03/0008.html Reported-by: David Lopes
Closes https://github.com/curl/curl/pull/5025
projects / thirdparty / curl.git / log
