Op 30/11/13 10:41, Daniel Stenberg schreef:
CVE-2013-4545 is a real if even rather miniscule risk to a small set of
programs. In fact I only know of one that is affected.
I now (better) understand the motivations for the change. I personally
rate this as a security through obscurity solution
On 29-11-13 22:44, Daniel Stenberg wrote:
On Fri, 29 Nov 2013, Marc Deslauriers wrote:
I was just looking at the patch for CVE-2013-4545
(http://curl.haxx.se/docs/adv_20131115.html), and I believe the GnuTLS
backend has the same problem.
The CVE ticket states:
cURL and libcurl 7.18.0
Arun Victor avic...@flexerasoftware.com schreef:
Hi all,
I've built libcurl with Darwin SSL (configured with the
'--with-darwinssl' option). The sunny-day scenarios of using trusted
certificates works just fine. Problem is that it does not seem to
recognize self-signed certificates - I get a
On 30-07-13 10:57, Ryan wrote:
I am curious whether it's my wrong usage with CURLFORM_FILECONTENT option, or
it's caused by other reason? Could anyone help and share the insight?
Thanks a lot!
Hi Ryan,
Did you see this example:
http://curl.haxx.se/libcurl/c/curl_formadd.html
I don't
On 24-07-13 11:11, Indtiny s wrote:
Hi,
I have added AES_CCM cipher suite support to the openssl and tested with
curl client with Nginx web server .
It works well when I tested on the PC , then I cross compiled openssl and
curl for ARM and tried to run curl client application from the
On 12-07-13 21:54, Dan Fandrich wrote:
On Fri, Jul 12, 2013 at 05:33:26PM +0200, Patrick Monnerat wrote:
Please find a big patch in attachment:
I've taken a look at the code and I've spotted a problem in the reuse of
the variable 'i' in the function Curl_verifyhost():
The result of
On 27-06-13 17:23, narayanan manikandan wrote:
Hi,
we have an application which supports both Mac and Win OS. The underlying
code for HTTP/HTTPS transfer written using libcurl is common for both
operating system.
We are running extensively the application on windows (stress test) and we
On 27-06-13 19:06, narayanan manikandan wrote:
Thank you for your suggestion.
I will build my libcurl local version to use darwin ssl.
I have a question.
My application is built as 32 bit. So should i need to build my libcurl just
for i386 or i need to make it multi architecture
On 07-06-13 16:09, Aleksey Tulinov wrote:
I've noticed that cURL changed behavior in 7.29 regarding axTLS
support. Before it was ignoring invalid certificates as requested, but
in 7.29 it gives subjectAltName(s) do not match %s error and ignores
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST,
On 06-05-13 06:19, Indtiny s wrote:
Hi,
I have compiled libcurl with openssl for enabling https . Now I need to
validate the Server certificates .
When server sends a selfsiged certificate in Server hello , Client should
detect and reject the certificate if the certificate is self signed
Taiki ta...@rakshata.com schreef:
Hello,
I'm looking for a way to inject a certificate to libcURL.
I'm actually using CURLOPT_CAINFO but I've to create the file, then use
it, then delete it and I would rather like to use
CURLOPT_SSL_CTX_FUNCTION.
My problem is that the example available use
On 26-03-13 22:31, Daniel Stenberg wrote:
Now, more than six years later, Linus Nielsen Feltzing (a colleague and
friend at Haxx) strikes back with a much improved and almost completely
revamped HTTP pipelining support (merged into master just hours before the
new-feature window closed for
On 27-03-13 11:16, Patrick Monnerat wrote:
Hi friends,
I'm currently writing yet another SSL backend for the OS/400: GSKit.
Unlike Qssl, it will support multiple SSL environments, non-blocking
connects, host certificate verification and (limited) certificate
information retrieval.
I'm
On 17-03-13 01:32, cnm marketing wrote:
Service layer - a daemon/service, it also contains many libraries (i.e.
*.so on Linux), this layer use bsafe ssl, as well as openssl, this layer
has its own bsafe and openssl libraries come with this layer.
Mental note #1:
Ok, you have openssl and bsafe
On 16-03-13 12:33, cnm marketing wrote:
Thanks for the suggestion Oscar!
We are still doing research on the link
http://comments.gmane.org/gmane.comp.encryption.openssl.user/43777
providered by Daniel, because it invokes other groups' work, it will
take a while.
Head down to the error
On 16-03-13 22:16, cnm marketing wrote:
We'll try your way and Yang's way to debug and see what the data looks
like in the openssl layer.
Yes, a bottom up debugging approach might give the insight you need
here. But... I'm trying to understand your problem in your
application... and I feel this
On 15-03-13 15:44, cnm marketing wrote:
How that can be? Does libcurl also use openssl?
libcurl is able to use 9 different SSL implementation as its SSL library
for SSL connections. And yes, OpenSSL is one of them.
From my code, I only invoke libcurl routines. Again the following
output are
On 15-03-13 21:26, cnm marketing wrote:
/error:0506706E:Diffie-Hellman routines:GENERATE_KEY:key size too small /
libcurl does not fool around with certificate contents nor keys.
[cnm] libcurl uses openssl, that error message comes from openssl.
The problem is in the certificate you are using
On 06-03-13 13:34, Daniel Stenberg wrote:
Hi,
As a result of the last security vulnerability we had, I'm adding new
code to checksrc that will alert us on uses of (v)sprintf, strcat and
gets in the code base.
This is meant to be an additional tool to help us detect unsafe code
easier,
Patrick Monnerat patrick.monne...@datasphere.ch schreef:
Oscar Koeroo wrote:
count = snprintf(NULL, 0, myformat);
buf = malloc(count);
snprintf(buf, count, myformat);
I would use:
count = snprintf(NULL, 0, myformat) + 1;
to include nul-terminator...
I defend my obvious and stupid
John E. Malmberg wb8...@qsl.net schreef:
I finally got curl to build correctly on ALPHA, VAX, IA64, using both
GNV (GNU on VMS tool chain) and using the native VMS tools.
Hi,
do you have access to QsoSSL, it's API and/or API docs? There is still an
unresolved issue with that regarding
On 20-01-13 13:17, Michael Barton wrote:
Hi!
I'm having a problem with libcurl that so far seems to only happen on
CentOS/RHEL 5.8 (libcurl 7.15.5 and openssl 0.9.8e). The first https
request I make on a curl handle succeeds, but all subsequent requests give
me a cert verification failure.
On 11-01-13 13:00, Chris Knight wrote:
Hi Oscar,
So great news, your suggestion worked, I added the line;
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_ALLOW_BEAST);
and this works. The CURLOPT_SSL_CIPHER_LIST suggestion didn't seem to do
much in terms of this issue but its
On 05-01-13 14:24, Philip Montrowe wrote:
Seems like something we could add to curl_easy_getinfo() - and
something that will require changes for every SSL backend we want to
get the info from... Anything you feel like taking a stab at?
I was thinking more along the lines of adding an exit
On 04-01-13 16:51, Yang Tse wrote:
So please, either way express yourselves again. I don't want to goof
it twice in a row.
I'm (still) in favor of filename change. The old names also surface easily
on a shell if you have tab-completion.
My motivation is simply my own experience in addressing
On 28-12-12 10:51, JALINDAR wrote:
I did this:$ *./configure --without-ssl and --with-polarssl*
is it needed to have polarssl library and path set while configuring??
Hi Jalindar,
1.
Try: ./configure --without-ssl --with-polarssl
(without the 'and' word)
2.
PolarSSL needs to be installed
On 26-12-12 17:19, Indtiny s wrote:
I verified the certificate with openssl command line tool , in that I
could see the subject filed is NULL and the SubjAltNames is present .
This is valid as per the As per [RFC 5280], “If subject naming information
is present only in the
On 21-12-12 19:32, Yves Arrouye wrote:
I have so far a full patch off HEAD for OAuth 2 which supports the
generation of a proper Authorization: header for OAuth 2 from a token.
Bearer (RFC 6750) and the HTTP MAC (draft-ietf-oauth-v2-http-mac-02) are
both supported. The patch has been tested on
On 07-12-12 19:56, Linus Nielsen Feltzing wrote:
It is a simple replacement of the old persistent connection cache. It works
exactly as the old one in that respect.
Linus
Question: The new implementation seems to support only one connection per
hostname. This might me exactly the same as the
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL,
url.GetPlatformString().c_str());
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,PEM);
curl_easy_setopt(curl, CURLOPT_SSLCERT,
C:\\test\\omg.aps.net.pem);
On 21-11-12 21:16, Colin wrote:
Hi,
needing a library to perform HTTP requests I am looking at libcurl,
and have stumbled over something that seems strange: There are
curlopts CURLOPT_OPENSOCKETFUNCTION etc. to set the functions to
open, close and manipulate the socket, however there are no
On 10-11-12 20:45, Kristian Fiskerstrand wrote:
My crawler use curl as the basis for the requests, and as I connect
using the hostname found in server-discovery, whereby I need it to be
valid for the purpose of a DNS Round Robin, it use the HTTP Host:
header matching the keyserver pool. The
On 09-11-12 14:51, JALINDAR wrote:
Hi Forum,
I want to ping IP addresses and grab the respond to save it if it
is received within the time bound.
It must be similar to command line ping.
how should I do it?
Thanks
Jalindar
Do you mean ping-like behaviour or ping as in the ICMP
On 06-11-12 22:49, Daniel Stenberg wrote:
On Tue, 6 Nov 2012, Oscar Koeroo wrote:
Could you verify if I didn't mess up a bunch of text files? Like the BUGS
file. I wasn't to careful with the push.
Hm, the pull request 46 I still see there is 4 days old and doesn't apply
cleanly. How do I
On 06-11-12 19:50, Daniel Stenberg wrote:
On Mon, 5 Nov 2012, Oscar Koeroo wrote:
As I already have a VERIFYHOST rework patch pending - basically what I
already shown before - do you think it makes sense for me to merge that
in first and then have your work rebased on top of that?
I'm fine
On 06-11-12 19:50, Daniel Stenberg wrote:
On Mon, 5 Nov 2012, Oscar Koeroo wrote:
As I already have a VERIFYHOST rework patch pending - basically what I
already shown before - do you think it makes sense for me to merge that
in first and then have your work rebased on top of that?
I'm fine
On 05-11-12 22:52, Daniel Stenberg wrote:
On Sat, 3 Nov 2012, okoeroo wrote:
These two commits will make the axTLS be RFC2818 compliant, honoring the
VERIFYHOST setting similar to the OpenSSL backend.
Also move the hostcheck and cert_hostcheck functions from the lib/ssluse.c
files to make
On 04-11-12 09:10, Marc Hoersken wrote:
2012/11/4 Oscar Koeroo okoe...@nikhef.nl
lib/curl_schannel.c
VerifyHost is not used
I don't think this is correct. Please see line 163.
You are right! It's indeed used. This is a silly mistake because I'm quoting
the section that it uses it in my
On 04-11-12 11:19, Marc Hoersken wrote:
2012/11/4 Oscar Koeroo okoe...@nikhef.nl:
I don't know, I copied this specific check from another curl SSL backend.
I've seen the same checks, but different motivations:
- Post connection verification based on SubjectAltNames IP
instead of DNS; OpenSSL
On 04-11-12 03:06, Oscar Koeroo wrote:
On 28-10-12 22:25, Oscar Koeroo wrote:
[...]
Errata 2:
about lib/schannel.c
If I understand MSDN[1] correctly regarding the CertGetNameString()
function, it will only return the first SubjectAltName DNS (or the CN field
when no SubjectAltNames
Hi,
At the moment the functions cert_hostcheck and hostmatch are static
functions in the lib/ssluse.c file. I need these in axTLS too.
I wish to put it somewhere generic:
Options are:
- a completely new file
- lib/rawstr.c
Any opinions?
Oscar
On 03-11-12 20:08, Daniel Stenberg wrote:
On Sat, 3 Nov 2012, Oscar Koeroo wrote:
At the moment the functions cert_hostcheck and hostmatch are static
functions in the lib/ssluse.c file. I need these in axTLS too.
I wish to put it somewhere generic:
Options are:
- a completely new file
On 28-10-12 22:25, Oscar Koeroo wrote:
[...]
I pulled a fresh cUrl and looked at the cUrl code enabling axTLS, CyaSSL,
GnuTLS, NSS, OpenSSL, PolarSSL and QsoSSL. I could only find the API docs
for QsoSSL, but I've downloaded and read the code in these SSL
implementation up to and including
On 03-11-12 21:06, Oscar Koeroo wrote:
On 03-11-12 20:08, Daniel Stenberg wrote:
I'd prefer a new file (hostcheck.c or certcheck?)
Ok, I'll try to get this into a new file. At the moment my pull request has
these two function in the lib/rawstr.c as I interpreted as string
manipulation
On 02-11-12 12:52, Daniel Stenberg wrote:
On Mon, 29 Oct 2012, Oscar Koeroo wrote:
With respect to the option 1 provided from the application; I can only see
four migration paths of choices in this:
a. treat a 1 as a 0, forced debug mode
b. treat a 1 as a 2, forced secure connection
c
On 01-11-12 20:18, Igor Korot wrote:
On Thu, Nov 1, 2012 at 12:06 PM, Rich Gray rg...@plustechnologies.com wrote:
Igor Korot wrote:
Hi, ALL,
Well, subject says it all.
If it hasn't always been provided in OS X, it goes back a long ways...
On OS X 10.6.8 (Snow Leopard) Apple installed:
On 29-10-12 10:33, Daniel Stenberg wrote:
On Mon, 29 Oct 2012, Peter Sylvester wrote:
Do I understand correctly: verify_host will have two values, i.e equiv to
a bool?
(For all new and old readers, this is a discussion around my *proposed*
changes as shown in the patch I posted the other
On 29-10-12 13:42, Daniel Stenberg wrote:
On Mon, 29 Oct 2012, Oscar Koeroo wrote:
I've send an email yesterday evening about all the various backends and
how they implement, for example, RFC2818 compliance and in particular I
checked how this VERIFYHOST setting is actually used and I'd like
On 29-10-12 16:03, Daniel Stenberg wrote:
0 is per the documentation a skipped verification of the host name. The
'same as 1' simply means that it logs a bad match and I don't think it
matters much as logging is basically only friendly if it isn't too
slow/expensive in terms of CPU or other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 29-10-12 21:43, Alessandro Ghedini wrote:
Anyway, I just run a quick grep on all the sources of the packages that
build depend on libcurl and those that explicitly set
CURLOPT_SSL_VERIFYPEER are very few, even less those that set it to 1
On 29-10-12 07:12, Lijo Antony wrote:
IMHO, using enum values make APIs much cleaner, avoiding any possible
confusion in using integer values like 0,1,2, etc. I already do this in my
code for all CURL options. But having these enums provided by CURL itself,
makes any future changes in values,
On 24-10-12 22:45, Daniel Stenberg wrote:
Hi friends,
The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software is a report from 6 authors I noticed today:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
Among many things it has the following charming
On 10/25/2012 07:16 AM, SM wrote:
Hi Daniel,
At 13:45 24-10-2012, Daniel Stenberg wrote:
The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software is a report from 6 authors I noticed today:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
cURL is also
On 18-10-12 19:43, Mayank Kumar (mayankum) wrote:
Resending since I didn't get any response. Is there a way to extract the
ssl context for the https connection initiated so that we could use
SSL_read on the socket handle extracted from the curl handle.
From: Mayank Kumar (mayankum) Sent:
On 11-10-12 21:05, Peter Sylvester wrote:
Please set CURLOPT_SSL_VERIFYPEER to 0L too. That will probably do the trick.
disabling checks of authenticity is not exactly a good advice IMHO.
IMHO it's never a good idea disable any of the two. But who am I to judge on
disabling security features to
On 11-10-12 07:16, bala suru wrote:
Hi,
I have converted my certificates which are DER form to PEM using below
openssl command
*
openssl x509 -in root.x509 -inform DER -out root.crt -outform PEM
*
And try to excute the curl client with error buffer set , I get the below
error while
On 11-10-12 10:14, Indtiny s wrote:
Hi,
I am using the tool which is given by zigbee aliance to generate the
selfsigned CA certs , there I can not add the subject .
I have disabed the host verification in (lib)curl (CURLOPT_SSL_VERIFYHOST,
0L);
But still I am getting the same error .
On 02-10-12 19:55, Bill Lear wrote:
I have an unusual situation with an embedded SSL client using libcurl.
I need to send a client certificate to the server for validation even though
the client does not validate the server certificate. (CURLOPT_SSL_VERIFYPEER
= 0)
Is this possible? I
On 08-09-12 23:04, crill...@tiscali.it wrote:
I have tried that,
so now my test programs have this source code:
extern C {
#include curl/curl.h
#include curl/easy.h
}
int main
(int argc, char* argv[])
{
curl_global_init(CURL_GLOBAL_ALL);
}
but
even so, I get
On 05-09-12 19:15, Sidde Gowda wrote:
Hi All
It is strange to me. I have disabled verify issuer and hosts but still seeing
below error. Any idea?
* About to connect() to 172.17.0.11 port 8443 (#0)
* Trying 172.17.0.11...
* connected
* Connected to 172.17.0.11 (172.17.0.11) port 8443
On 20-07-12 22:13, Daniel Stenberg wrote:
On Fri, 20 Jul 2012, pcworld wrote:
is it currently possible to set multiple paths in CURLOPT_CAPATH, or any
other way to achieve this?
No. OpenSSL only allows a single path or a single file.
Well, OpenSSL has an underlying interface to do it.
, Oscar,
On Thu, Jul 12, 2012 at 10:33 PM, Oscar Koeroo okoe...@nikhef.nl wrote:
Hi Igor,
Your approach breaks the fact that POST is typically a form-post. I recently
had a problem with that breakage when I tried to POST data in JSON as raw
data. libcurl can do this, but consider
Hi Igor,
Your approach breaks the fact that POST is typically a form-post. I recently
had a problem with that breakage when I tried to POST data in JSON as raw
data. libcurl can do this, but consider the incompatibility with something
like Django.
Here's an example in C:
[code]
static size_t
Hi Vivek,
Which Linux kernel version are you using? Perhaps the static linked glibc is
different then what matches with the kernel (which is a motivation for the
compiler warning in the first place).
I'd check if the compiler output used the right glibc.a file for example.
Oscar
On
On 20/4/12 11:17 AM, Paul Bakker wrote:
On 19-4-2012 15:42, Daniel Stenberg wrote:
I'm not an TLS/x509 expert but I don't think so. Also, you'll see that
for example GnuTLS agrees with my view here and this is how we do it
for OpenSSL (for all TLS-using protocols). I haven't checked how the
On 3/4/12 8:23 AM, Jens Staal wrote:
Dear list
This is an initial attempt to port curl to Plan9 (i386). The binary
(+sources) can be found at
http://ports2plan9.googlecode.com/files/curl-7.23.1.pkg.tbz
The thing compiles with the native Plan9 pcc (Posix c compiler, front
end to kencc)
Hi,
I assumed that I could discover with which SSL implementation libcurl is
dynamically linked with the use of curl_easy_getinfo(). But according to the
documentation there doesn't seem to be an option for this.
My current motivation is to overcome the syntactical and semantical
differences of
On 10/2/12 10:57 PM, Andrew Reid wrote:
C:\curl -x proxy..com:port -k -d @/location/filename https://x.x.x.x/
I would do:
C:\curl -x proxy..com:port -k -d @./location/filename https://x.x.x.x/
Although I think there is a better guarantueed result when you use a full
path for the input
On 8/2/12 4:43 PM, Rich Gray wrote:
Or to make it uber clear:
CURLSSLOPT_ALLOW_VULNERABILITY_BEAST
--ssl-allow-vulnerability-beast
(If they want to do it, make 'em type!)
- Rich
+1 on the typing for this particular reason. ;-)
Also people might interpret it as to 'unleash the BEAST!'
69 matches
Mail list logo