Re: Using Windows certificate store when compiling with openssl

Hello Jan, > x64 builds with OpenSSL just use the Windows certificate store. That > applies even to cross-compiled x64 builds. Try it yourself > https://phpdev.toolsforresearch.com/curl-mingw32-7.61.1.zip I tried, but it failed for me on w2k8r2. I tried both the 32bit and x64: >

Re: 5a3efb1db breaks winssl crosscompile for me [WAS: schannel: unified error code handling; Closes #2901]

Hello Han, > Hmm on second thought, this is a problem with mingw using an outdated > version of win32api. They should have added this enum a long time ago > since it’s available in VS2012. I agree. I file a bug with mingw. But in the mean time I think we should go with Daniels Patch until we use

Re: 5a3efb1db breaks winssl crosscompile for me [WAS: schannel: unified error code handling; Closes #2901]

tested the patch with my application and it works for me. Cheers, Thomas >From 33344920f85259efc4e9606047df9655c080cb5d Mon Sep 17 00:00:00 2001 From: Thomas Glanzmann Date: Thu, 6 Sep 2018 21:37:15 +0200 Subject: [PATCH] schannel: Fix build regression introduced in 5a3efb1db for mingw

Re: Slow Windows uploads (with patch)

Hello Daniel, > > If you like to run me some more experiements, I can do that. I just > > compile curl with a higher SO_SNDBUF / SO_RCVBUF, fire up a ec2 AWS > > instance with windows server 2016 somewhere in the world with a big pipe > > and high latency and download something from my well

Re: Windows users! Help us test upload performance tuning?

Hello Daniel, I fired up a Windows 2016 instance in Canada using AWS. First thing I got was an error message MSVCR100.dll is missing. So I installed the visual c++ runtime. And tried again. Microsoft Windows [Version 10.0.14393] generating test file... running vanilla... start:0.469000

Re: Slow Windows uploads (with patch)

Hello, I recently had a customer complaining that the download speed from Canada to Paris is bad. He got 150 Mbit/s and had a 1 Gbit line with a single connection. Both systems were Windows Server 2016. Proprietary Application. This was for 80ms latency link. After some testing I found out that

Re: Build libcurl using mingw32 with static openssl

Hello Ray, thank you for your build instructions. In the ouptut there was clearly something really wrong because I ran gcc to link the mingw target which can't work. But now it works and I had to add on more library: -lcrypt32. I'm building against openssl 1.1.0 pre 6. Below, find my build

Build libcurl using mingw32 with static openssl

Hello, I try to compile libcurl using mingw32 and a static linked openssl. It worked in the past, however at the moment I'm unable to do so. The reason seems to be: ... configure:21627: result: no configure:21655: PKG_CONFIG_LIBDIR will be set to

Re: NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0

Hello Marton, > Sorry for spamming, but I compiled some builds of curl in order to find the > build in which the bug was introduced and I think I found it: 7.39.0 works > but 7.40.0 does not. I hope this helps. could you run a git bisect on this to find the offending commit?

Re: NTLM auth to server when Negotiate is used with a proxy is broken in libcurl 7.51.0

Hello Marton, > But it doesn't work on MacOS Sierra with libcurl 7.51.0: can you upgrade to the newest version (7.53.1)? There was a bug which has been fixed last April regarding closing a connection with NTLM authentication. Maybe this solves your problem. Cheers, Thomas

Re: [PATCH] mbedtls: Unbreak mbedtls compilation

Hello Ray, > Landed in https://github.com/curl/curl/commit/e08c0cd thanks a lot. > Unrelated to this issue but regarding mbedTLS, support for > CURLOPT_SSL_CTX_FUNCTION is coming soon. You may want to check out the > PR at https://github.com/curl/curl/pull/1272 should you have any feedback. I

[PATCH] mbedtls: Unbreak mbedtls compilation

I need the following patch to compile curl git HEAD against mbedtls. Otherwise I get the following compiler error message: CC vtls/libcurl_la-mbedtls.lo vtls/mbedtls.c: In function 'mbedtls_version_from_curl': vtls/mbedtls.c:162:10: error: 'ssl_version' undeclared (first use in this

Re: getting libcurl to run with C in codeblocks (mingw-32)

Hello Greg, > I've spent a few hours trying to run libcurl in codeblocks (GNU GCC > mingw-32 Compiler), I'm building on Debian Linux for Windows. However maybe my instructions help you: apt-get install git make gcc libx11-dev mingw-w64 libtool git clone https://github.com/curl/curl cd curl

Re: Session ID Reuse in libcurl

Hello Samuel, > I've recently been undertaking some TLS performance investigation, and > as part of this I've been trying to understand how features like Session > ID reuse improve the set-up time of new TLS connections. I'm using the > libcurl multi interface in an existing application, and I'm

Re: SSL and multithread crash on windows, how to use mutex on windows?

Hello, > SSL and multithread crash on windows, how to use mutex on windows? Best way is you post a striped down example which crashes. For me the following works, without a problem. Once: curl_global_init(CURL_GLOBAL_DEFAULT); For each thread: _beginthread(...); share

[PATCH] HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY

WARNING: I compiled and tested this code only for openssl and mbedtls --- docs/libcurl/opts/CURLOPT_PROXY_PINNEDPUBLICKEY.3 | 99 +++ docs/libcurl/symbols-in-versions | 1 + include/curl/curl.h | 4 + lib/url.c

[PATCH] url: proxy: Use 443 as default port for https proxies

--- docs/libcurl/opts/CURLOPT_PROXYPORT.3 | 3 ++- lib/url.c | 8 +++- lib/url.h | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_PROXYPORT.3 b/docs/libcurl/opts/CURLOPT_PROXYPORT.3 index

Re: HTTPS proxy, another take

Hello, > > In issue #1127 they do state: "Supported backends: OpenSSL, GnuTLS, and > > NSS". I suppose that might mean that those are the only backends that > > support HTTPS over HTTPS. Maybe they could help clarify that? > I see. I tried with openssl. I sent the email to fast. Now I tried

Re: HTTPS proxy, another take

Hello Daniel, > Right. Focus should first be to make sure everything *existing* > remains functional but then we should just start working on fixing the > bugs in the HTTPS proxy functionality. Having the code in the master > branch will make it easier to do that I think. I tested it during the

Re: HTTPS proxy, another take

Hello, > (infra) [~/work/vlconnect] local/linux/bin/curl --proxy-cacert > /etc/ssl/certs/ca-certificates.crt --cacert > /etc/ssl/certs/ca-certificates.crt --proxy > https://tg:passw...@proxy.glanzmann.de:443/ https://google.com > curl: (4) A requested feature, protocol or option was not found

Re: HTTPS proxy, another take

Hello Daniel, > Their work and some additional fixes exist in the HTTPS-proxy branch right > now. I intend to merge that into master within days. please do. > If anyone objects or wants to do/check something before that happens, > now is a great time! I found the following bugs, we should fix:

Re: HTTPS proxy, another take

Hello, the attached patch fixed the compile errors for me. No testing done yet. Cheers, Thomas >From acd43bf652ae05e40af1798bc455ed0d7cd6c5f4 Mon Sep 17 00:00:00 2001 From: Thomas Glanzmann <tho...@glanzmann.de> Date: Thu, 17 Nov 2016 13:17:26 +0100 Subject: [PATCH] mbedtls: h

Re: HTTPS proxy, another take

Hello, I would like to see this getting merged. I tried to compile it with mbedtls as a backend, but failed. I'll investigate further this evening: CC vtls/libcurl_la-cyassl.lo vtls/mbedtls.c: In function 'mbed_connect_step1': vtls/mbedtls.c:172:19: error: 'struct ssl_config_data' has no

Re: stop shipping PDF and HTML versions in tarballs?

Hello Daniel, > Do the HTML and PDF versions of our man pages that we ship in every > tarball provide any value to you? I read the manual online or using man, but I'm also building curl from git. From my point of view they can be removed. Cheers, Thomas

Re: MBEDTLS debugging in libcurl [WAS: [PATCH] mbedtls: Rename mbedtls_debug info mbed_debug to match] debug function name

sets the debug level to verbose and also explains in a comment in the source code what needs to be done to enable it bot in mbedtls and curl. Cheers, Thomas >From d4596e8684ab1a800dcd61725ed97d632fc6b9c9 Mon Sep 17 00:00:00 2001 From: Thomas Glanzmann <tho...@glanzmann.de> Date:

Re: MBEDTLS debugging in libcurl [WAS: [PATCH] mbedtls: Rename mbedtls_debug info mbed_debug to match] debug function name

Hello Ray, > Thanks, landed in aa9f536 [1]. thank you for comitting that so fast. > Regarding your other e-mail about why you aren't receiving debugging > info even with the fix maybe you built mbedTLS without > MBEDTLS_DEBUG_C? I had that _not_ enabled. Now that I have, I have still no

How to use MBEDTLS_DEBUG and get additional mbedtls debugging information

Hello, I already applied the patch that makes it possible to build with MBEDTLS_DEBUG defined. But I don't get what I need to do to get the extended debugging. I tried: #include void gethaxx(void) { CURL *curl = curl_easy_init(); curl_easy_setopt(curl, CURLOPT_CAINFO,

[PATCH] mbedtls: Rename mbedtls_debug info mbed_debug to match debug function name

This patch is necessary so that curl compiles if MBEDTLS_DEBUG is defined. --- lib/vtls/mbedtls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index f30f2ce..18c2d4f 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -420,7

Re: MBEDTLS d5800b7761ad9705d2ebca86d7af0c8ee24e427a creates regression wher compiling libcurl error: unknown type name 'mbedtls_time_t'

Hello Dan, * Dan Fandrich [2016-07-02 21:30]: > > /home/sithglan/work/vlconnect/curl/../local/win32/include/mbedtls/ssl.h:545:5: > > error: unknown type name 'mbedtls_time_t' > This looks like an mbedtls problem. A client #including an mbedtls > include file

MBEDTLS d5800b7761ad9705d2ebca86d7af0c8ee24e427a creates regression wher compiling libcurl error: unknown type name 'mbedtls_time_t'

Hello, when I compile libcurl with mbedtls-2.3.0 I hit the following libcurl compile regression: In file included from ../lib/urldata.h:98:0, from vtls/darwinssl.c:31: /home/sithglan/work/vlconnect/curl/../local/win32/include/mbedtls/ssl.h:545:5: error: unknown type name

Re: Reuse ssl session accross curl handles

Hello Ray, > Works here with mbedTLS. Maybe you forgot CURLOPT_SHARE? yes, I forgot to use CURLOPT_SHARE. Now it works. Thank you for the follow up, the example code, and explanation. > And to answer your question from the first e-mail: yes you can reuse easy > handles, see curl_easy_reset [2]

Re: Reuse ssl session accross curl handles

Hello, * Thomas Glanzmann <tho...@glanzmann.de> [2016-04-29 09:45]: > now that Ray has fixed session reuse, I wonder if it is possible to > reuse SSL session across curl handles? If I use the same curl handle it > works, but if I try to use curl_easy_duphandle[1] it does _not_ wor

Reuse ssl session accross curl handles

Hello, now that Ray has fixed session reuse, I wonder if it is possible to reuse SSL session across curl handles? If I use the same curl handle it works, but if I try to use curl_easy_duphandle[1] it does _not_ work. Any tricks to reuse session with multiple curl handles? If it is not possible,

Re: How to implement TLS session resumption in libcurl when connecting to FTPS servers

Hello Ray, > Fixed in https://github.com/curl/curl/commit/9f498de I just tried it, and it works for me. Thank you for fixining this. Cheers, Thomas --- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette:

Re: CURLOPT_CONNECT_ONLY: * Closing connection 2

Hello Christian, * Christian Hägele [2016-04-27 09:56]: > That's nice to hear. Maybe that bumps the priority to merge that > pull-request. A comment from you might help there. We have this patch > (and some others) in production for quite some time and would

Re: CURLOPT_CONNECT_ONLY: * Closing connection 2

Hello Christian, * Christian Hägele [2016-04-26 13:32]: > I did not look at your specific problem with NTLM_SSP in detail, but I > want to mention 4 open pull-request regarding NTLM and > CURLOPT_CONNECT_ONLY: Thanks a lot for the heads up. 655 fixes my issue.

Re: CURLOPT_CONNECT_ONLY: * Closing connection 2

Hello Daniel, > Awesome. I'll eagerly await the results! I was not able to bisect it because some versions did not compile and so I had to skip them. I'm down to: 1c0f70f534d155de5e3e7013c48ebd15848c16bc 790d1a4816de8976b9cc796138455ed2daf94bb8 55db5bdff79a16200ff93e1a5d89e38acfdf0eb1

Re: CURLOPT_CONNECT_ONLY: * Closing connection 2

Hell, > - Hypothesis: Test with older libcurl I tried with 7.40 and with this version I do _not_ have the problem. I'll now do a git bisect to identify the offending commit and report back. Cheers, Thomas --- List admin:

CURLOPT_CONNECT_ONLY: * Closing connection 2

-ECDHE-RSA-WITH-AES-256-GCM-SHA384 * Dumping cert info: * cert. version : 3 * serial number : 02:BE:92 * issuer name : C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA * subject name : C=DE, ST=Bayern, L=Erlangen, O=

Howto build wolfSSL using mingw32 on Linux

Hello, previously I built openssl and mbedtls using mingw32 on Debian. Does someone have instructions how to build wolfSSL using mingw32 on Debian? I would like to try wolfSSL and compare it from a codesize view with mbedTLS. But I'm only building on Linux. Cheers, Thomas

Re: https://curl.haxx.se/

Hello, > Not really related to Curl or anything Daniel, but I see you're using the > free certs from Let's Encrypt. I think that's awesome. I've always > wanted SSL for my domain but I never had the money. Now that Let's > Encrypt is in the beta phase and open to the public, I'm so glad to

Prepopulate DNS cache with IPv6 and IPv4 address

Hello, I would like to prepopulate the DNS cache with a IPv6 (preferred) and a IPv4 address. When I try to do the same it works perfectly if the host is dual stack, but not if it is IPv4 only. How was the usage for such a scenario intended? I assumed that it would even try IPv4 if no IPv6 is

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello Ray, > I thought we already do this [1], I'm at a loss for why session resume > doesn't work if in fact it doesn't. I recall it did appear to resume > for me, probably I had a different google server than you. does it work for you? I tried with session id and tickets and used curl debug

Re: Prepopulate DNS cache with IPv6 and IPv4 address

Hello Daniel, > The CURLOPT_RESOLVE feature is actually simpler than so. It stores a > *single* address for a given host+port combo, and it will not > overwrite an existing entry. thank you for the explanation. I'll go with IPv4 for the time being. > There have been work in the past to make it

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello Ray, * Ray Satiro [2016-01-11 09:25]: > Also I notice if peer verification is disabled the SSLpinning result > isn't checked. This was not caught by the tests so I'll add a test for > that. I noticed that, too. But I thought this was the intended behaviour because

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello Ray, > - There is a comment in the code that says a peer cert is not available > after an SSL session resume, specifically "If the session was resumed, there > will be no peer cert". It appears that was copied from PolarSSL. I looked in > the mbedTLS documentation to confirm but there's

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello Ray, related: https://tls.mbed.org/discussions/generic/resumed-tls-handshake Cheers, Thomas --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello Daniel, > I use "./configure --enable-debug --enable-werror" and then gcc pointed it > out very loudly to me =) I see. I added --enable-werror to my default build parameters in the build script. Last time I screwed up char vs unsigned char I ended up building a very ugly workaround and to

Two build warnings for Debian Jessie 8 amd64 and mingw32

Hello Daniel, when compiling the current git HEAD with --enable-werror I get two more. My build environment is Debian Jessie amd64. In order to reproduce this: test -d curl || git clone https://github.com/bagder/curl.git cd curl git reset --hard origin/master; git clean -f

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello Daniel, > This landed in commit bf93a121 with just some very minor edits. thank you. Good catch with the unsigned char. I should default to this. Cheers, Thomas --- List admin:

Re: API to include cacert using a C string

Hello Daniel, > I will gladly accept patches that introduce it. Have you considered > the API/option for passing the cacert bundle to libcurl? I have thought about this as well. I think we have two options: - Make CURLOPT_CAINFO and/or CURLOPT_CAPATH not only accept a path as

Embed client cert and key into libcurl when using mbed TLS as backend

Hello Mindaugas, > https://stackoverflow.com/questions/34543265/how-to-load-pem-certificate-together-with-private-key-in-libcurl-using-mbedtls the following untested patch against libcurl should do what you want: diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index da869e2..31058ef 100644

[PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

--- docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 5 +-- lib/vtls/mbedtls.c | 50 + lib/vtls/mbedtls.h | 1 + 3 files changed, 54 insertions(+), 2 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3

Re: [PATCH] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

Hello, > At a quick glance it looks good to me, except it only supports DER/PEM > as is, if you want to also support the new sha256// hashes you need to > define curlssl_sha256sum in mbedtls, that *should* be fairly easy to do > I'd hope. I'm using this patch with sha256// on mbedtls since the

Re: BADCERT_NOT_TRUSTED error with mbedTLS

Hello Ray, first of all good news. This morning the branch origin/iotssl-541-pathlen-bugfix was merged. Making you error go away. However I found at least on other cert still not working. > I don't know why you are seeing --cacert only accepting a single > certificate. I have searched the curl

Re: BADCERT_NOT_TRUSTED error with mbedTLS

Hello Ray, > Does anyone have mbedTLS working in curl 7.46.0? when I build mbedTLS on Linux and try what you did, I notice the following: - --cacert Only accepts a single certificate not a file containing multiple certs. - I patched MBEDTLS to tell me why it flagged

Re: BADCERT_NOT_TRUSTED error with mbedTLS

Hello Ray, > > - --cacert Only accepts a single certificate not a file > > containing multiple certs. > I don't know why you are seeing --cacert only accepting a single > certificate. I have searched the curl repo and I can't find that. And I > don't believe that's correct for

Re: BADCERT_NOT_TRUSTED error with mbedTLS

ost certificate but _not_ the root certificate. As it should. Cheers, Thomas >From 6cabb75af82dbc4f6874ea1a1b3952433f83abaf Mon Sep 17 00:00:00 2001 From: Thomas Glanzmann <tho...@glanzmann.de> Date: Sat, 21 Nov 2015 13:32:38 +0100 Subject: [PATCH] hardcode cacert of startssl

[PATCH] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

--- docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 | 5 ++-- lib/vtls/mbedtls.c | 42 + lib/vtls/mbedtls.h | 1 + 3 files changed, 46 insertions(+), 2 deletions(-) diff --git