diff options
Diffstat (limited to '0015-curl-7.29.0-7fc9325a.patch')
| -rw-r--r-- | 0015-curl-7.29.0-7fc9325a.patch | 1090 |
1 files changed, 1090 insertions, 0 deletions
diff --git a/0015-curl-7.29.0-7fc9325a.patch b/0015-curl-7.29.0-7fc9325a.patch new file mode 100644 index 0000000..7b6c5fe --- /dev/null +++ b/0015-curl-7.29.0-7fc9325a.patch @@ -0,0 +1,1090 @@ +From a7b1ea3537b30450ad82d2c64d31dcecaed60fca Mon Sep 17 00:00:00 2001 +From: Gergely Nagy <ngg@tresorit.com> +Date: Thu, 19 Sep 2013 15:17:13 +0200 +Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely + +CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, +CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version +(CURL_SSLVERSION_TLSv1 means TLS 1.x). + +axTLS: +axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one +of these should be used, so we don't allow the new enum values. + +darwinssl: +Added support for the new enum values. + +SChannel: +Added support for the new enum values. + +CyaSSL: +Added support for the new enum values. +Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it +did the same before this commit), because CyaSSL cannot be configured to +use TLS 1.0-1.2. + +GSKit: +GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow +those values. +Bugfix: There was a typo that caused wrong SSL versions to be passed to +GSKit. + +NSS: +TLS minor version cannot be set, so we don't allow the new enum values. + +QsoSSL: +TLS minor version cannot be set, so we don't allow the new enum values. + +OpenSSL: +Added support for the new enum values. +Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, +now it enables 1.0-1.2. + +Command-line tool: +Added command line options for the new values. + +[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b] +--- + docs/libcurl/curl_easy_setopt.3 | 8 +++++- + docs/libcurl/symbols-in-versions | 3 ++ + include/curl/curl.h | 5 +++- + lib/axtls.c | 3 +- + lib/curl_darwinssl.c | 34 +++++++++++++++++++++++++ + lib/curl_schannel.c | 9 ++++++ + lib/cyassl.c | 13 +++++++++- + lib/nss.c | 6 ++++ + lib/qssl.c | 6 ++++ + lib/ssluse.c | 51 +++++++++++++++++++++++++++---------- + packages/OS400/curl.inc.in | 6 ++++ + src/tool_getparam.c | 25 ++++++++++++++++-- + src/tool_setopt.c | 3 ++ + 13 files changed, 151 insertions(+), 21 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 3d31aef..92db8f4 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2219,11 +2219,17 @@ The default action. This will attempt to figure out the remote SSL protocol + version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled + by default with 7.18.1). + .IP CURL_SSLVERSION_TLSv1 +-Force TLSv1 ++Force TLSv1.x + .IP CURL_SSLVERSION_SSLv2 + Force SSLv2 + .IP CURL_SSLVERSION_SSLv3 + Force SSLv3 ++.IP CURL_SSLVERSION_TLSv1_0 ++Force TLSv1.0 ++.IP CURL_SSLVERSION_TLSv1_1 ++Force TLSv1.1 ++.IP CURL_SSLVERSION_TLSv1_2 ++Force TLSv1.2 + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 37b5e27..57fa6eb 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -678,6 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 + CURL_SSLVERSION_SSLv2 7.9.2 + CURL_SSLVERSION_SSLv3 7.9.2 + CURL_SSLVERSION_TLSv1 7.9.2 ++CURL_SSLVERSION_TLSv1_0 7.33.0 ++CURL_SSLVERSION_TLSv1_1 7.33.0 ++CURL_SSLVERSION_TLSv1_2 7.33.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 80e4cf5..8e548e3 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1625,9 +1625,12 @@ enum CURL_NETRC_OPTION { + + enum { + CURL_SSLVERSION_DEFAULT, +- CURL_SSLVERSION_TLSv1, ++ CURL_SSLVERSION_TLSv1, /* TLS 1.x */ + CURL_SSLVERSION_SSLv2, + CURL_SSLVERSION_SSLv3, ++ CURL_SSLVERSION_TLSv1_0, ++ CURL_SSLVERSION_TLSv1_1, ++ CURL_SSLVERSION_TLSv1_2, + + CURL_SSLVERSION_LAST /* never use, keep last */ + }; +diff --git a/lib/axtls.c b/lib/axtls.c +index d512950..68794b5 100644 +--- a/lib/axtls.c ++++ b/lib/axtls.c +@@ -169,7 +169,8 @@ Curl_axtls_connect(struct connectdata *conn, + case CURL_SSLVERSION_TLSv1: + break; + default: +- failf(data, "axTLS only supports TLSv1"); ++ failf(data, "axTLS only supports TLS 1.0 and 1.1, " ++ "and it cannot be specified which one to use"); + return CURLE_SSL_CONNECT_ERROR; + } + +diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c +index 827c876..69eff8a 100644 +--- a/lib/curl_darwinssl.c ++++ b/lib/curl_darwinssl.c +@@ -719,6 +719,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); + (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); ++ break; + case CURL_SSLVERSION_SSLv3: + (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); + (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3); +@@ -759,6 +771,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + kTLSProtocol12, + true); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol1, ++ true); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol11, ++ true); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol12, ++ true); ++ break; + case CURL_SSLVERSION_SSLv3: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kSSLProtocol3, +@@ -785,10 +812,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + true); + break; + case CURL_SSLVERSION_TLSv1: ++ case CURL_SSLVERSION_TLSv1_0: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kTLSProtocol1, + true); + break; ++ case CURL_SSLVERSION_TLSv1_1: ++ failf(data, "Your version of the OS does not support TLSv1.1"); ++ return CURLE_SSL_CONNECT_ERROR; ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "Your version of the OS does not support TLSv1.2"); ++ return CURLE_SSL_CONNECT_ERROR; + case CURL_SSLVERSION_SSLv2: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kSSLProtocol2, +diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c +index a615f57..19b7f71 100644 +--- a/lib/curl_schannel.c ++++ b/lib/curl_schannel.c +@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) + SP_PROT_TLS1_1_CLIENT | + SP_PROT_TLS1_2_CLIENT; + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT; ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT; ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; ++ break; + case CURL_SSLVERSION_SSLv3: + schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT; + break; +diff --git a/lib/cyassl.c b/lib/cyassl.c +index 7c78464..ff11bdd 100644 +--- a/lib/cyassl.c ++++ b/lib/cyassl.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn, + req_method = SSLv23_client_method(); + break; + case CURL_SSLVERSION_TLSv1: ++ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, " ++ "TLS 1.0 is used exclusively\n"); + req_method = TLSv1_client_method(); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ req_method = TLSv1_client_method(); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ req_method = TLSv1_1_client_method(); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ req_method = TLSv1_2_client_method(); ++ break; + case CURL_SSLVERSION_SSLv3: + req_method = SSLv3_client_method(); + break; +diff --git a/lib/nss.c b/lib/nss.c +index 111982f..ff93a38 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1266,6 +1266,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + case CURL_SSLVERSION_SSLv3: + ssl3 = PR_TRUE; + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "TLS minor version cannot be set\n"); ++ curlerr = CURLE_SSL_CONNECT_ERROR; ++ goto error; + } + + if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) +diff --git a/lib/qssl.c b/lib/qssl.c +index 8ef6fec..8b5e499 100644 +--- a/lib/qssl.c ++++ b/lib/qssl.c +@@ -206,6 +206,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) + case CURL_SSLVERSION_SSLv3: + h->protocol = SSL_VERSION_3; + break; ++ ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "TLS minor version cannot be set"); ++ return CURLE_SSL_CONNECT_ERROR; + } + + rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT); +diff --git a/lib/ssluse.c b/lib/ssluse.c +index 4a0dba7..dd99435 100644 +--- a/lib/ssluse.c ++++ b/lib/ssluse.c +@@ -1389,19 +1389,12 @@ ossl_connect_step1(struct connectdata *conn, + switch(data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +-#ifdef USE_TLS_SRP +- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { +- infof(data, "Set version TLSv1 for SRP authorisation\n"); +- req_method = TLSv1_client_method() ; +- } +- else +-#endif +- /* we try to figure out version */ +- req_method = SSLv23_client_method(); +- use_sni(TRUE); +- break; + case CURL_SSLVERSION_TLSv1: +- req_method = TLSv1_client_method(); ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ /* it will be handled later with the context options */ ++ req_method = SSLv23_client_method(); + use_sni(TRUE); + break; + case CURL_SSLVERSION_SSLv2: +@@ -1514,9 +1507,39 @@ ossl_connect_step1(struct connectdata *conn, + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + #endif + +- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ +- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) ++ switch(data->set.ssl.version) { ++ case CURL_SSLVERSION_DEFAULT: ++ ctx_options |= SSL_OP_NO_SSLv2; ++#ifdef USE_TLS_SRP ++ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { ++ infof(data, "Set version TLSv1.x for SRP authorisation\n"); ++ ctx_options |= SSL_OP_NO_SSLv3; ++ } ++#endif ++ break; ++ case CURL_SSLVERSION_TLSv1: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ break; ++ case CURL_SSLVERSION_TLSv1_0: + ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ break; ++ } + + SSL_CTX_set_options(connssl->ctx, ctx_options); + +diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in +index 33ca12a..22a5511 100644 +--- a/packages/OS400/curl.inc.in ++++ b/packages/OS400/curl.inc.in +@@ -226,6 +226,12 @@ + d c 2 + d CURL_SSLVERSION_SSLv3... + d c 3 ++ d CURL_SSLVERSION_TLSv1_0... ++ d c 4 ++ d CURL_SSLVERSION_TLSv1_1... ++ d c 5 ++ d CURL_SSLVERSION_TLSv1_2... ++ d c 6 + * + d CURL_TLSAUTH_NONE... + d c 0 +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 297b986..98d53a7 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -175,6 +175,9 @@ static const struct LongShort aliases[]= { + {"$J", "metalink", FALSE}, + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, ++ {"10", "tlsv1.0", FALSE}, ++ {"11", "tlsv1.1", FALSE}, ++ {"12", "tlsv1.2", FALSE}, + {"2", "sslv2", FALSE}, + {"3", "sslv3", FALSE}, + {"4", "ipv4", FALSE}, +@@ -873,9 +876,25 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ + /* HTTP version 1.0 */ + config->httpversion = CURL_HTTP_VERSION_1_0; + break; +- case '1': +- /* TLS version 1 */ +- config->ssl_version = CURL_SSLVERSION_TLSv1; ++ case '1': /* --tlsv1* options */ ++ switch(subletter) { ++ case '\0': ++ /* TLS version 1.x */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1; ++ break; ++ case '0': ++ /* TLS version 1.0 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_0; ++ break; ++ case '1': ++ /* TLS version 1.1 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_1; ++ break; ++ case '2': ++ /* TLS version 1.2 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_2; ++ break; ++ } + break; + case '2': + /* SSL version 2 */ +diff --git a/src/tool_setopt.c b/src/tool_setopt.c +index 4014177..9860117 100644 +--- a/src/tool_setopt.c ++++ b/src/tool_setopt.c +@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { + NV(CURL_SSLVERSION_TLSv1), + NV(CURL_SSLVERSION_SSLv2), + NV(CURL_SSLVERSION_SSLv3), ++ NV(CURL_SSLVERSION_TLSv1_0), ++ NV(CURL_SSLVERSION_TLSv1_1), ++ NV(CURL_SSLVERSION_TLSv1_2), + NVEND, + }; + +-- +1.7.1 + + +From 350765306d7e2946fc8295fa2bfc2fe0c14651fc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 15 Oct 2013 20:31:04 +0200 +Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options + +[upstream commit 076726f1412205622414abd908723c4b33ca12cb] +--- + docs/curl.1 | 20 ++++++++++++++++---- + 1 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index b350865..53b378c 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1419,14 +1419,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP", + for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are + specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP". + (Added in 7.21.4) +-.IP "--tlsuser <user>" +-Set username for use with the TLS authentication method specified with +-\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in +-7.21.4) + .IP "--tlspassword <password>" + Set password for use with the TLS authentication method specified with + \fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set. (Added in + 7.21.4) ++.IP "--tlsuser <user>" ++Set username for use with the TLS authentication method specified with ++\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in ++7.21.4) ++.IP "--tlsv1.0" ++(SSL) ++Forces curl to use TLS version 1.0 when negotiating with a remote TLS server. ++(Added in 7.34.0) ++.IP "--tlsv1.1" ++(SSL) ++Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. ++(Added in 7.34.0) ++.IP "--tlsv1.2" ++(SSL) ++Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. ++(Added in 7.34.0) + .IP "--tr-encoding" + (HTTP) Request a compressed Transfer-Encoding response using one of the + algorithms curl supports, and uncompress the data while receiving it. +-- +1.7.1 + + +From ba2b4e87b396faab9ccb5a3ca9aca935a7a78a1b Mon Sep 17 00:00:00 2001 +From: Steve Holme <steve_holme@hotmail.com> +Date: Wed, 16 Oct 2013 20:06:23 +0100 +Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f + +[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d] +--- + docs/libcurl/symbols-in-versions | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 57fa6eb..b275900 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -678,9 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 + CURL_SSLVERSION_SSLv2 7.9.2 + CURL_SSLVERSION_SSLv3 7.9.2 + CURL_SSLVERSION_TLSv1 7.9.2 +-CURL_SSLVERSION_TLSv1_0 7.33.0 +-CURL_SSLVERSION_TLSv1_1 7.33.0 +-CURL_SSLVERSION_TLSv1_2 7.33.0 ++CURL_SSLVERSION_TLSv1_0 7.34.0 ++CURL_SSLVERSION_TLSv1_1 7.34.0 ++CURL_SSLVERSION_TLSv1_2 7.34.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +-- +1.7.1 + + +From 5f908139b4e56c969bf6ef06c115a0a12353c827 Mon Sep 17 00:00:00 2001 +From: Steve Holme <steve_holme@hotmail.com> +Date: Wed, 16 Oct 2013 20:18:15 +0100 +Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION + +[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70] +--- + docs/libcurl/curl_easy_setopt.3 | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 92db8f4..d73b664 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2212,6 +2212,8 @@ Even though this option doesn't need any parameter, in some configurations + arguments. Therefore, it's recommended to pass 1 as parameter to this option. + .IP CURLOPT_SSLVERSION + Pass a long as parameter to control what version of SSL/TLS to attempt to use. ++(Added in 7.9.2) ++ + The available options are: + .RS + .IP CURL_SSLVERSION_DEFAULT +@@ -2225,11 +2227,11 @@ Force SSLv2 + .IP CURL_SSLVERSION_SSLv3 + Force SSLv3 + .IP CURL_SSLVERSION_TLSv1_0 +-Force TLSv1.0 ++Force TLSv1.0 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_1 +-Force TLSv1.1 ++Force TLSv1.1 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_2 +-Force TLSv1.2 ++Force TLSv1.2 (Added in 7.34.0) + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +-- +1.7.1 + + +From 7940044fc233f626b912b5f51a7a0111a4c145d3 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 25 Nov 2013 16:03:52 +0100 +Subject: [PATCH 5/9] nss: use a better API for controlling SSL version + +This change introduces a dependency on NSS 3.14+. + +[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f] +--- + configure | 20 ++++++++++---------- + configure.ac | 4 ++-- + docs/INTERNALS | 2 +- + lib/nss.c | 40 +++++++++++++++++++--------------------- + 4 files changed, 32 insertions(+), 34 deletions(-) + +diff --git a/configure b/configure +index 2496b3c..ebde78a 100755 +--- a/configure ++++ b/configure +@@ -23641,9 +23641,9 @@ $as_echo "found" >&6; } + CPPFLAGS="$CPPFLAGS $addcflags" + fi + +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5 +-$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; } +-if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5 ++$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; } ++if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then : + $as_echo_n "(cached) " >&6 + else + ac_check_lib_save_LIBS=$LIBS +@@ -23655,26 +23655,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext + #ifdef __cplusplus + extern "C" + #endif +-char PK11_CreateGenericObject (); ++char SSL_VersionRangeSet (); + int main (void) + { +-return PK11_CreateGenericObject (); ++return SSL_VersionRangeSet (); + ; + return 0; + } + _ACEOF + if ac_fn_c_try_link "$LINENO"; then : +- ac_cv_lib_nss3_PK11_CreateGenericObject=yes ++ ac_cv_lib_nss3_SSL_VersionRangeSet=yes + else +- ac_cv_lib_nss3_PK11_CreateGenericObject=no ++ ac_cv_lib_nss3_SSL_VersionRangeSet=no + fi + rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS=$ac_check_lib_save_LIBS + fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5 +-$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; } +-if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then : ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5 ++$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; } ++if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then : + + + $as_echo "#define USE_NSS 1" >>confdefs.h +diff --git a/configure.ac b/configure.ac +index 5970188..c81c879 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2194,8 +2194,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + CPPFLAGS="$CPPFLAGS $addcflags" + fi + +- dnl The function PK11_CreateGenericObject is needed to load libnsspem.so +- AC_CHECK_LIB(nss3, PK11_CreateGenericObject, ++ dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 ++ AC_CHECK_LIB(nss3, SSL_VersionRangeSet, + [ + AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) + AC_SUBST(USE_NSS, [1]) +diff --git a/docs/INTERNALS b/docs/INTERNALS +index 03839c3..581b22d 100644 +--- a/docs/INTERNALS ++++ b/docs/INTERNALS +@@ -43,7 +43,7 @@ Portability + openldap 2.0 + MIT krb5 lib 1.2.4 + qsossl V5R2M0 +- NSS 3.12.x ++ NSS 3.14.x + axTLS 1.2.7 + Heimdal ? + +diff --git a/lib/nss.c b/lib/nss.c +index ff93a38..14a0b0c 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1175,9 +1175,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; + PRFileDesc *model = NULL; +- PRBool ssl2 = PR_FALSE; +- PRBool ssl3 = PR_FALSE; +- PRBool tlsv1 = PR_FALSE; ++ SSLVersionRange sslver; + PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; + struct SessionHandle *data = conn->data; +@@ -1251,20 +1249,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- ssl3 = PR_TRUE; +- if(data->state.ssl_connect_retry) ++ sslver.min = SSL_LIBRARY_VERSION_3_0; ++ if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); ++ sslver.max = SSL_LIBRARY_VERSION_3_0; ++ } + else +- tlsv1 = PR_TRUE; ++ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; + break; + case CURL_SSLVERSION_TLSv1: +- tlsv1 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; + break; + case CURL_SSLVERSION_SSLv2: +- ssl2 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_2; ++ sslver.max = SSL_LIBRARY_VERSION_2; + break; + case CURL_SSLVERSION_SSLv3: +- ssl3 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_3_0; ++ sslver.max = SSL_LIBRARY_VERSION_3_0; + break; + case CURL_SSLVERSION_TLSv1_0: + case CURL_SSLVERSION_TLSv1_1: +@@ -1274,14 +1277,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + } + +- if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) +- goto error; +- if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) +- goto error; +- if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) +- goto error; +- +- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) ++ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + goto error; + + ssl_cbc_random_iv = !data->set.ssl_enable_beast; +@@ -1467,11 +1463,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(model) + PR_Close(model); + +- /* cleanup on connection failure */ +- Curl_llist_destroy(connssl->obj_list, NULL); +- connssl->obj_list = NULL; ++ /* cleanup on connection failure */ ++ Curl_llist_destroy(connssl->obj_list, NULL); ++ connssl->obj_list = NULL; + +- if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { ++ if((sslver.min == SSL_LIBRARY_VERSION_3_0) ++ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) ++ && isTLSIntoleranceError(err)) { + /* schedule reconnect through Curl_retry_request() */ + data->state.ssl_connect_retry = TRUE; + infof(data, "Error in TLS handshake, trying SSLv3...\n"); +-- +1.7.1 + + +From 08398e7a8a8ba4e6fef1557392e3c0104cc3550f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 25 Nov 2013 16:14:55 +0100 +Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc + +[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d] +--- + lib/nss.c | 72 +++++++++++++++++++++++++++++++++++------------------------- + 1 files changed, 42 insertions(+), 30 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 14a0b0c..2e2240b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1171,6 +1171,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, + return CURLE_OK; + } + ++static CURLcode nss_init_sslver(SSLVersionRange *sslver, ++ struct SessionHandle *data) ++{ ++ switch (data->set.ssl.version) { ++ default: ++ case CURL_SSLVERSION_DEFAULT: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; ++ if(data->state.ssl_connect_retry) { ++ infof(data, "TLS disabled due to previous handshake failure\n"); ++ sslver->max = SSL_LIBRARY_VERSION_3_0; ++ } ++ else ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_TLSv1: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_SSLv2: ++ sslver->min = SSL_LIBRARY_VERSION_2; ++ sslver->max = SSL_LIBRARY_VERSION_2; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_SSLv3: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; ++ sslver->max = SSL_LIBRARY_VERSION_3_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ break; ++ } ++ ++ failf(data, "TLS minor version cannot be set"); ++ return CURLE_SSL_CONNECT_ERROR; ++} ++ + CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; +@@ -1246,37 +1286,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) + goto error; + +- switch (data->set.ssl.version) { +- default: +- case CURL_SSLVERSION_DEFAULT: +- sslver.min = SSL_LIBRARY_VERSION_3_0; +- if(data->state.ssl_connect_retry) { +- infof(data, "TLS disabled due to previous handshake failure\n"); +- sslver.max = SSL_LIBRARY_VERSION_3_0; +- } +- else +- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; +- break; +- case CURL_SSLVERSION_TLSv1: +- sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; +- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; +- break; +- case CURL_SSLVERSION_SSLv2: +- sslver.min = SSL_LIBRARY_VERSION_2; +- sslver.max = SSL_LIBRARY_VERSION_2; +- break; +- case CURL_SSLVERSION_SSLv3: +- sslver.min = SSL_LIBRARY_VERSION_3_0; +- sslver.max = SSL_LIBRARY_VERSION_3_0; +- break; +- case CURL_SSLVERSION_TLSv1_0: +- case CURL_SSLVERSION_TLSv1_1: +- case CURL_SSLVERSION_TLSv1_2: +- failf(data, "TLS minor version cannot be set\n"); +- curlerr = CURLE_SSL_CONNECT_ERROR; ++ /* enable/disable the requested SSL version(s) */ ++ if(nss_init_sslver(&sslver, data) != CURLE_OK) + goto error; +- } +- + if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + goto error; + +-- +1.7.1 + + +From 91a3d58fc48f0d08ab81f1e013b2d58a7ccd7146 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 25 Nov 2013 16:25:15 +0100 +Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS + +Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html + +[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0] +--- + lib/nss.c | 22 ++++++++++++++++++++++ + 1 files changed, 22 insertions(+), 0 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 2e2240b..5cd33d8 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1188,7 +1188,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + + case CURL_SSLVERSION_TLSv1: + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++#ifdef SSL_LIBRARY_VERSION_TLS_1_2 ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++#elif defined SSL_LIBRARY_VERSION_TLS_1_1 ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++#else + sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++#endif + return CURLE_OK; + + case CURL_SSLVERSION_SSLv2: +@@ -1202,8 +1208,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1_0: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ + case CURL_SSLVERSION_TLSv1_1: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_1 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_1; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++ return CURLE_OK; ++#endif ++ break; ++ + case CURL_SSLVERSION_TLSv1_2: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_2 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++ return CURLE_OK; ++#endif + break; + } + +-- +1.7.1 + + +From 404492a5a815b83fab58ce60434c01c270b6bc73 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 2 Dec 2013 14:25:07 +0100 +Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext() + +... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway + +[upstream commit 865666afca926faa1c721020fc54364540caf734] +--- + configure | 12 ------------ + configure.ac | 8 -------- + lib/nss.c | 26 -------------------------- + 3 files changed, 0 insertions(+), 46 deletions(-) + +diff --git a/configure b/configure +index ebde78a..8741e21 100755 +--- a/configure ++++ b/configure +@@ -23697,18 +23697,6 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5 + $as_echo "$as_me: detected NSS version $version" >&6;} + +- ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext" +-if test "x$ac_cv_func_NSS_InitContext" = xyes; then : +- +- +-$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h +- +- HAVE_NSS_INITCONTEXT=1 +- +- +-fi +- +- + if test "x$cross_compiling" != "xyes"; then + LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff" + export LD_LIBRARY_PATH +diff --git a/configure.ac b/configure.ac +index c81c879..70ef0b7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2211,14 +2211,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + if test "x$USE_NSS" = "xyes"; then + AC_MSG_NOTICE([detected NSS version $version]) + +- dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent +- dnl collisions on NSS initialization/shutdown with other libraries +- AC_CHECK_FUNC(NSS_InitContext, +- [ +- AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function]) +- AC_SUBST(HAVE_NSS_INITCONTEXT, [1]) +- ]) +- + dnl when shared libs were found in a path that the run-time + dnl linker doesn't search through, we need to add it to + dnl LD_LIBRARY_PATH to prevent further configure tests to fail +diff --git a/lib/nss.c b/lib/nss.c +index 5cd33d8..7b49c20 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); + + PRLock * nss_initlock = NULL; + PRLock * nss_crllock = NULL; +-#ifdef HAVE_NSS_INITCONTEXT + NSSInitContext * nss_context = NULL; +-#endif + + volatile int initialized = 0; + +@@ -853,7 +851,6 @@ isTLSIntoleranceError(PRInt32 err) + + static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + { +-#ifdef HAVE_NSS_INITCONTEXT + NSSInitParameters initparams; + + if(nss_context != NULL) +@@ -861,12 +858,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + + memset((void *) &initparams, '\0', sizeof(initparams)); + initparams.length = sizeof(initparams); +-#else /* HAVE_NSS_INITCONTEXT */ +- SECStatus rv; +- +- if(NSS_IsInitialized()) +- return CURLE_OK; +-#endif + + if(cert_dir) { + const bool use_sql = NSS_VersionCheck("3.12.0"); +@@ -875,35 +866,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + return CURLE_OUT_OF_MEMORY; + + infof(data, "Initializing NSS with certpath: %s\n", certpath); +-#ifdef HAVE_NSS_INITCONTEXT + nss_context = NSS_InitContext(certpath, "", "", "", &initparams, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + free(certpath); + + if(nss_context != NULL) + return CURLE_OK; +-#else /* HAVE_NSS_INITCONTEXT */ +- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); +- free(certpath); +- +- if(rv == SECSuccess) +- return CURLE_OK; +-#endif + + infof(data, "Unable to initialize NSS database\n"); + } + + infof(data, "Initializing NSS with certpath: none\n"); +-#ifdef HAVE_NSS_INITCONTEXT + nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY + | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN + | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD); + if(nss_context != NULL) + return CURLE_OK; +-#else /* HAVE_NSS_INITCONTEXT */ +- if(NSS_NoDB_Init(NULL) == SECSuccess) +- return CURLE_OK; +-#endif + + infof(data, "Unable to initialize NSS\n"); + return CURLE_SSL_CACERT_BADFILE; +@@ -999,12 +977,8 @@ void Curl_nss_cleanup(void) + SECMOD_DestroyModule(mod); + mod = NULL; + } +-#ifdef HAVE_NSS_INITCONTEXT + NSS_ShutdownContext(nss_context); + nss_context = NULL; +-#else /* HAVE_NSS_INITCONTEXT */ +- NSS_Shutdown(); +-#endif + } + PR_Unlock(nss_initlock); + +-- +1.7.1 + + +From a643c75662b6909a5be1bed8273ed1273ab2b3f4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 2 Dec 2013 16:09:12 +0100 +Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized + +[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab] +--- + lib/nss.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 7b49c20..abc8a91 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1151,13 +1151,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- sslver->min = SSL_LIBRARY_VERSION_3_0; + if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); + sslver->max = SSL_LIBRARY_VERSION_3_0; + } +- else +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1: +@@ -1211,7 +1208,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; + PRFileDesc *model = NULL; +- SSLVersionRange sslver; + PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; + struct SessionHandle *data = conn->data; +@@ -1223,6 +1219,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + long time_left; + PRUint32 timeout; + ++ SSLVersionRange sslver = { ++ SSL_LIBRARY_VERSION_3_0, /* min */ ++ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ ++ }; ++ + if(connssl->state == ssl_connection_complete) + return CURLE_OK; + +-- +1.7.1 + |