.IP "--http2"
(HTTP) Tells curl to issue its requests using HTTP 2. This requires that the
underlying libcurl was built to support it. (Added in 7.33.0)
+.IP "--no-npn"
+Disable the NPN TLS extension. NPN is enabled by default if libcurl was built
+with an SSL library that supports NPN. NPN is used by a libcurl that supports
+HTTP 2 to negoatiate HTTP 2 support with the server during https sessions.
+
+(Added in 7.36.0)
+.IP "--no-alpn"
+Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built
+with an SSL library that supports ALPN. ALPN is used by a libcurl that supports
+HTTP 2 to negoatiate HTTP 2 support with the server during https sessions.
+
+(Added in 7.36.0)
.IP "-1, --tlsv1"
(SSL)
Forces curl to use TLS version 1 when negotiating with a remote TLS server.
CURLOPT_SSLKEYPASSWD 7.9.3 7.17.0
CURLOPT_SSLKEYTYPE 7.9.3
CURLOPT_SSLVERSION 7.1
+CURLOPT_SSL_ENABLE_ALPN 7.36.0
+CURLOPT_SSL_ENABLE_NPN 7.36.0
CURLOPT_SSL_CIPHER_LIST 7.9
CURLOPT_SSL_CTX_DATA 7.10.6
CURLOPT_SSL_CTX_FUNCTION 7.10.6
/* Set authentication options directly */
CINIT(LOGIN_OPTIONS, OBJECTPOINT, 224),
+ /* Enable/disable TLS NPN extension (http2 over ssl might fail without) */
+ CINIT(SSL_ENABLE_NPN, LONG, 225),
+
+ /* Enable/disable TLS ALPN extension (http2 over ssl might fail without) */
+ CINIT(SSL_ENABLE_ALPN, LONG, 226),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
set->tcp_keepintvl = 60;
set->tcp_keepidle = 60;
+ set->ssl_enable_npn = TRUE;
+ set->ssl_enable_alpn = TRUE;
return res;
}
case CURLOPT_TCP_KEEPINTVL:
data->set.tcp_keepintvl = va_arg(param, long);
break;
+ case CURLOPT_SSL_ENABLE_NPN:
+ data->set.ssl_enable_npn = (0 != va_arg(param, long))?TRUE:FALSE;
+ break;
+ case CURLOPT_SSL_ENABLE_ALPN:
+ data->set.ssl_enable_alpn = (0 != va_arg(param, long))?TRUE:FALSE;
+ break;
default:
/* unknown tag and its companion, just ignore: */
long tcp_keepintvl; /* seconds between TCP keepalive probes */
size_t maxconnects; /* Max idle connections in the connection cache */
+
+ bool ssl_enable_npn; /* TLS NPN extension? */
+ bool ssl_enable_alpn; /* TLS ALPN extension? */
};
struct Names {
{
struct connectdata *conn = (struct connectdata*) arg;
-#ifndef USE_NGHTTP2
- (void)sock;
- (void)conn;
-#else
+#ifdef USE_NGHTTP2
unsigned int buflenmax = 50;
unsigned char buf[50];
unsigned int buflen;
SSLNextProtoState state;
+ if(!conn->data->set.ssl_enable_npn && !conn->data->set.ssl_enable_alpn) {
+ return;
+ }
+
if(SSL_GetNextProto(sock, &state, buf, &buflen, buflenmax) == SECSuccess) {
switch(state) {
#endif
#endif
+
if(connssl->state == ssl_connection_complete)
return CURLE_OK;
}
#ifdef USE_NGHTTP2
+ if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
#ifdef SSL_ENABLE_NPN
- if(SSL_OptionSet(connssl->handle, SSL_ENABLE_NPN, PR_TRUE) != SECSuccess)
- goto error;
+ if(data->set.ssl_enable_npn) {
+ if(SSL_OptionSet(connssl->handle, SSL_ENABLE_NPN, PR_TRUE) != SECSuccess)
+ goto error;
+ }
#endif
#ifdef SSL_ENABLE_ALPN
- if(SSL_OptionSet(connssl->handle, SSL_ENABLE_ALPN, PR_TRUE) != SECSuccess)
- goto error;
+ if(data->set.ssl_enable_alpn) {
+ if(SSL_OptionSet(connssl->handle, SSL_ENABLE_ALPN, PR_TRUE)
+ != SECSuccess)
+ goto error;
+ }
#endif
#if defined(SSL_ENABLE_NPN) || defined(SSL_ENABLE_ALPN)
- alpn_protos[cur] = NGHTTP2_PROTO_VERSION_ID_LEN;
- cur++;
- memcpy(&alpn_protos[cur], NGHTTP2_PROTO_VERSION_ID,
- NGHTTP2_PROTO_VERSION_ID_LEN);
- cur += NGHTTP2_PROTO_VERSION_ID_LEN;
- alpn_protos[cur] = ALPN_HTTP_1_1_LENGTH;
- cur++;
- memcpy(&alpn_protos[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
-
- if(SSL_SetNextProtoNego(connssl->handle, alpn_protos, alpn_protos_len)
- != SECSuccess)
- goto error;
+ if(data->set.ssl_enable_npn || data->set.ssl_enable_alpn) {
+ alpn_protos[cur] = NGHTTP2_PROTO_VERSION_ID_LEN;
+ cur++;
+ memcpy(&alpn_protos[cur], NGHTTP2_PROTO_VERSION_ID,
+ NGHTTP2_PROTO_VERSION_ID_LEN);
+ cur += NGHTTP2_PROTO_VERSION_ID_LEN;
+ alpn_protos[cur] = ALPN_HTTP_1_1_LENGTH;
+ cur++;
+ memcpy(&alpn_protos[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
+
+ if(SSL_SetNextProtoNego(connssl->handle, alpn_protos, alpn_protos_len)
+ != SECSuccess)
+ goto error;
+ }
+ else {
+ infof(data, "SSL, can't negotiate HTTP/2.0 with neither NPN nor ALPN\n");
+ }
#endif
+ }
#endif
+
/* Force handshake on next I/O */
SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
bool test_event_based;
#endif
char *xoauth2_bearer; /* XOAUTH2 bearer token */
+ bool nonpn; /* enable/disable TLS NPN extension */
+ bool noalpn; /* enable/disable TLS ALPN extension */
struct Configurable* prev;
struct Configurable* next; /* Always last in the struct */
#endif
{"*F", "dns-servers", TRUE},
{"*g", "trace", TRUE},
+ {"*G", "npn", FALSE},
{"*h", "trace-ascii", TRUE},
+ {"*H", "alpn", FALSE},
{"*i", "limit-rate", TRUE},
{"*j", "compressed", FALSE},
{"*J", "tr-encoding", FALSE},
warnf(config, "--trace overrides an earlier trace/verbose option\n");
config->tracetype = TRACE_BIN;
break;
+ case 'G': /* --npn */
+ config->nonpn = (!toggle)?TRUE:FALSE;
+ break;
case 'h': /* --trace-ascii */
GetStr(&config->trace_dump, nextarg);
if(config->tracetype && (config->tracetype != TRACE_ASCII))
"--trace-ascii overrides an earlier trace/verbose option\n");
config->tracetype = TRACE_ASCII;
break;
+ case 'H': /* --alpn */
+ config->noalpn = (!toggle)?TRUE:FALSE;
+ break;
case 'i': /* --limit-rate */
{
/* We support G, M, K too */
" -0, --http1.0 Use HTTP 1.0 (H)",
" --http1.1 Use HTTP 1.1 (H)",
" --http2 Use HTTP 2 (H)",
+ " --no-npn Disable the NPN TLS extension",
+ " --no-alpn Disable the ALPN TLS extension",
" --ignore-content-length Ignore the HTTP Content-Length header",
" -i, --include Include protocol headers in the output (H/F)",
" -k, --insecure Allow connections to SSL sites without certs (H)",
if(config->sasl_ir)
my_setopt(curl, CURLOPT_SASL_IR, 1L);
+ if(config->nonpn) {
+ my_setopt(curl, CURLOPT_SSL_ENABLE_NPN, 0L);
+ }
+
+ if(config->noalpn) {
+ my_setopt(curl, CURLOPT_SSL_ENABLE_ALPN, 0L);
+ }
+
/* initialize retry vars for loop below */
retry_sleep_default = (config->retry_delay) ?
config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */
static const NameValue setopt_nv_CURLNONZERODEFAULTS[] = {
NV1(CURLOPT_SSL_VERIFYPEER, 1),
NV1(CURLOPT_SSL_VERIFYHOST, 1),
+ NV1(CURLOPT_SSL_ENABLE_NPN, 1),
+ NV1(CURLOPT_SSL_ENABLE_ALPN, 1),
NVEND
};
projects / platform / upstream / curl.git / commitdiff