OpenSSL does. Now, you can build and distribute an TLS/SSL capable libcurl
without including any Original BSD licensed code.
- I believe Debian is the first (only?) distro that provides libcurl/GnutTLS
+ I believe Debian is the first (only?) distro that provides libcurl/GnuTLS
packages.
yassl
While these three libraries offer similar features, they are not equal.
libcurl does not (yet) offer a standardized stable ABI if you decide to
- switch from using libcurl-openssl to libcurl-gnutls or vice versa. The GnuTLS
+ switch from using libcurl-openssl to libcurl-gnutls or vice-versa. The GnuTLS
and yassl support is very recent in libcurl and it has not been tested nor
used very extensively, while the OpenSSL equivalent code has been used and
thus matured since 1999.
GnuTLS
- - LGPL licensened
+ - LGPL licensed
- supports SRP
- lacks SSLv2 support
- lacks MD2 support (used by at least some CA certs)
- lacks the crypto functions libcurl uses for NTLM
OpenSSL
- - Original BSD licensened
+ - Original BSD licensed
- lacks SRP
- supports SSLv2
- older and more widely used
- reads/writes the netscape cookie file format
- custom headers (replace/remove internally generated headers)
- custom user-agent string
- - custom referer string
+ - custom referrer string
- range
- proxy authentication
- time conditions
- SASL based authentication: Plain, Login, CRAM-MD5, Digest-MD5 and
NTLM (*9)
- list the folders of a mailbox
- - select a mailbox with support for verifing the UIDVALIDITY
- - fetch e-mails with support for specifing the UID and SECTION
+ - select a mailbox with support for verifying the UIDVALIDITY
+ - fetch e-mails with support for specifying the UID and SECTION
- upload e-mails via the append command
- enhanced command support for: EXAMINE, CREATE, DELETE, RENAME, STATUS,
STORE, COPY and UID via custom requests
$ make install
- (The teste suit does not work with the cmake build)
+ (The test suite does not work with the cmake build)
ccmake
=========
o When libcurl is told to perform a transfer, it first checks for an already
existing connection in the cache that we can use. Otherwise it creates a
new one and adds that the cache. If the cache is full already when a new
- conncetion is added added, it will first close the oldest unused one.
+ connection is added added, it will first close the oldest unused one.
o When the transfer operation is complete, the connection is left
open. Particular options may tell libcurl not to, and protocols may signal
closure on connections and then they won't be kept open of course.
87. -J/--remote-header-name doesn't decode %-encoded file names. RFC6266
details how it should be done. The can of worm is basically that we have no
charset handling in curl and ascii >=128 is a challenge for us. Not to
- mention that decoding also means that we need to check for nastyness that is
+ mention that decoding also means that we need to check for nastiness that is
attempted, like "../" sequences and the like. Probably everything to the left
of any embedded slashes should be cut off.
http://curl.haxx.se/bug/view.cgi?id=1294
86. The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3
- and SMTP if a failure occures during the authentication phase of a
+ and SMTP if a failure occurs during the authentication phase of a
connection.
85. Wrong STARTTRANSFER timer accounting for POST requests
such in the build.
http://curl.haxx.se/bug/view.cgi?id=1222
-81. When using -J (with -O), automaticly resumed downloading together with "-C
- -" fails. Without -J the same command line works! This happens because the
- resume logic is worked out before the target file name (and thus its
+81. When using -J (with -O), automatically resumed downloading together with
+ "-C -" fails. Without -J the same command line works! This happens because
+ the resume logic is worked out before the target file name (and thus its
pre-transfer size) has been figured out!
http://curl.haxx.se/bug/view.cgi?id=1169
->mstate is the multi state of this particular SessionHandle. When
multi_runsingle() is called, it will act on this handle according to which
state it is in. The mstate is also what tells which sockets to return for a
- speicific SessionHandle when curl_multi_fdset() is called etc.
+ specific SessionHandle when curl_multi_fdset() is called etc.
The libcurl source code generally use the name 'data' for the variable that
points to the SessionHandle.
re-use an existing one instead of creating a new as it creates a significant
performance boost.
- Each 'connectdata' identifies a single physical conncetion to a server. If
+ Each 'connectdata' identifies a single physical connection to a server. If
the connection can't be kept alive, the connection will be closed after use
and then this struct can be removed from the cache and freed.
->do_it is the function called to issue the transfer request. What we call
the DO action internally. If the DO is not enough and things need to be kept
- getting done for the entier DO sequence to complete, ->doing is then usually
+ getting done for the entire DO sequence to complete, ->doing is then usually
also provided. Each protocol that needs to do multiple commands or similar
for do/doing need to implement their own state machines (see SCP, SFTP,
FTP). Some protocols (only FTP and only due to historical reasons) has a
separate piece of the DO state called DO_MORE.
- ->doing keeps getting called while issudeing the transfer request command(s)
+ ->doing keeps getting called while issuing the transfer request command(s)
->done gets called when the transfer is complete and DONE. That's after the
main data has been transferred.
- ->do_more gets called doring the DO_MORE state. The FTP protocol uses this
+ ->do_more gets called during the DO_MORE state. The FTP protocol uses this
state when setting up the second connection.
->proto_getsock
No matter what, we NEVER EVER respond to trolls or spammers on the list. If
you believe the list admin should do something particular, contact him/her
off-list. The subject will be taken care of as good as possible to prevent
- repeated offences, but responding on the list to such messages never lead to
+ repeated offenses, but responding on the list to such messages never lead to
anything good and only puts the light even more on the offender: which was
the entire purpose of it getting to the list in the first place.
Curl has been successfully compiled with gcc / nlmconv on different flavours
of Linux as well as with the official Metrowerks CodeWarrior compiler.
- While not being the main development target, a continously growing share of
+ While not being the main development target, a continuously growing share of
curl users are NetWare-based, specially also consuming the lib from PHP.
The unix-style man pages are tricky to read on windows, so therefore are all
- Write a security advisory draft about the problem that explains what the
problem is, its impact, which versions it affects, solutions or
- work-arounds, when the release is out and make sure to credit all
+ workarounds, when the release is out and make sure to credit all
contributors properly.
- Request a CVE number from distros@openwall.org[1] when also informing and
the same manner we always announce releases. It gets sent to the
curl-announce, curl-library and curl-users mailing lists.
-- The security web page on the web site should get the new vulernability
+- The security web page on the web site should get the new vulnerability
mentioned.
[1] = http://oss-security.openwall.org/wiki/mailing-lists/distros
SSL problems
- First, let's establish that we often refer to TLS and SSL interchangably as
+ First, let's establish that we often refer to TLS and SSL interchangeably as
SSL here. The current protocol is called TLS, it was called SSL a long time
ago.
Some broken servers fail to support the protocol negotiation properly that
SSL servers are supposed to handle. This may cause the connection to fail
- completely. Sometimes you may need to explicity select a SSL version to use
+ completely. Sometimes you may need to explicitly select a SSL version to use
when connecting to make the connection succeed.
An additional complication can be that modern SSL libraries sometimes are
SSL ciphers
- Clients give servers a list of ciphers to select from. If the list doens't
+ Clients give servers a list of ciphers to select from. If the list doesn't
include any ciphers the server wants/can use, the connection handshake
fails.
and automatically add the 'sql:' prefix to the certdb directory (either the
hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR
environment variable) if version 3.12.0 or later is detected. To check which
-ertdb format your distribution provides, examine the default
+certdb format your distribution provides, examine the default
certdb location: /etc/pki/nssdb; the new certdb format can be identified by
the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are
cert8.db, key3.db, modsec.db.
2.4 User name and password
Some services are setup to require HTTP authentication and then you need to
- provide name and password which then is transfered to the remote site in
+ provide name and password which then is transferred to the remote site in
various ways depending on the exact authentication protocol used.
You can opt to either insert the user and password in the URL or you can
Curl has a full blown cookie parsing engine built-in that comes to use if you
want to reconnect to a server and use cookies that were stored from a
- previous connection (or handicrafted manually to fool the server into
+ previous connection (or hand-crafted manually to fool the server into
believing you had a previous connection). To use previously stored cookies,
you run curl like:
sometimes they use such code to set or modify cookie contents. Possibly they
do that to prevent programmed logins, like this manual describes how to...
Anyway, if reading the code isn't enough to let you repeat the behavior
- manually, capturing the HTTP requests done by your browers and analyzing the
+ manually, capturing the HTTP requests done by your browsers and analyzing the
sent cookies is usually a working method to work out how to shortcut the
javascript need.
.IP "--no-npn"
Disable the NPN TLS extension. NPN is enabled by default if libcurl was built
with an SSL library that supports NPN. NPN is used by a libcurl that supports
-HTTP 2 to negoatiate HTTP 2 support with the server during https sessions.
+HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
(Added in 7.36.0)
.IP "--no-alpn"
Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built
with an SSL library that supports ALPN. ALPN is used by a libcurl that supports
-HTTP 2 to negoatiate HTTP 2 support with the server during https sessions.
+HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
(Added in 7.36.0)
.IP "-1, --tlsv1"
supports this operation. The c-ares backend is the only such one. (Added in
7.33.0)
.IP "-e, --referer <URL>"
-(HTTP) Sends the "Referer Page" information to the HTTP server. This can also
+(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also
be set with the \fI-H, --header\fP flag of course. When used with
\fI-L, --location\fP you can append ";auto" to the --referer URL to make curl
automatically set the previous URL when it follows a Location: header. The
.IP "--ssl-allow-beast"
(SSL) This option tells curl to not work around a security flaw in the SSL3
and TLS1.0 protocols known as BEAST. If this option isn't used, the SSL layer
-may use work-arounds known to cause interoperability problems with some older
+may use workarounds known to cause interoperability problems with some older
SSL implementations. WARNING: this option loosens the SSL security, and by
using this flag you ask for exactly that. (Added in 7.25.0)
.IP "--socks4 <host[:port]>"
If you use an SSPI-enabled curl binary and perform NTLM authentication, you
can force curl to select the user name and password from your environment by
-simply specifying a single colon with this option: "-u :" or by specfying the
+simply specifying a single colon with this option: "-u :" or by specifying the
login options on their own, for example "-u ;auth=NTLM".
You can use the optional login options part to specify protocol specific
7.26.0)
(IMAP)
-Specifies a custom IMAP command to use insead of LIST. (Added in 7.30.0)
+Specifies a custom IMAP command to use instead of LIST. (Added in 7.30.0)
(SMTP)
Specifies a custom SMTP command to use instead of HELP or VRFY. (Added in 7.34.0)
projects / platform / upstream / curl.git / commitdiff