| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since all URLContexts have the same AVOptions, such AVOptions
will be applied on the outermost context only and removed from the
dict, while they probably make sense on all contexts.
This makes sure that rw_timeout gets propagated to the innermost
URLContext (to make sure it gets passed to the tcp protocol, when
opening a http connection for instance).
Alternatively, such matching options would be kept in the dict
and only removed after the ffurl_connect call.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
| |
This way, the decisions about which protocols are available for use in
any given situations can be delegated to the caller.
|
| |
|
|
|
|
|
|
| |
Move the OpenSSL and GnuTLS implementations to their own files. Other
than the connection code (including options) and some boilerplate, no
code is actually shared.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
| |
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
| |
These aren't necessary any longer.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
| |
Since the underlying URLContext read functions are used,
they handle interruption, without having to handle it at
this level.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids hijacking the fd, by reading using the normal
URLContext functions instead. This allowing reading data that has
been buffered in the underlying URLContext.
This avoids using the libraries own send functions that can
cause SIGPIPE.
The fd is still used for polling the lowlevel socket, for
waiting for retries.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
| |
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| | |
|
| |
|
|
| |
Make tcp and tls urls near-interchangeable.
|
| |
|
|
| |
Signed-off-by: Diego Biurrun <diego@biurrun.de>
|
| |
|
|
|
|
|
|
|
| |
Also add options for specifying a certificate and key, which can
be used both when operating as client and as server.
Partially based on a patch by Peter Ross.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A file containing the trusted CA certificates needs to be
supplied via the ca_file AVOption, unless the TLS library
has got a system default file/database set up.
This doesn't check the hostname of the peer certificate with
openssl, which requires a non-trivial piece of code for
manually matching the desired hostname to the string provided
by the certificate, not provided as a library function.
That is, with openssl, this only validates that the received
certificate is signed with the right CA, but not that it is
the actual server we think we're talking to.
Verification is still disabled by default since we can't count
on a proper CA database existing at all times.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
| |
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The handling of the environment variable no_proxy, present since
one of the initial commits (de6d9b6404), is inconsistent with
how many other applications and libraries interpret this
variable. Its bare presence does not indicate that the use of
proxies should be skipped, but it is some sort of pattern for
hosts that does not need using a proxy (e.g. for a local network).
As investigated by Rudolf Polzer, different libraries handle this
in different ways, some supporting IP address masks, some supporting
arbitrary globbing using *, some just checking that the pattern matches
the end of the hostname without regard for whether it actually is
the right domain or a domain that ends in the same string.
This simple logic should be pretty similar to the logic used by
lynx and curl.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL returns 0 when the peer has closed the connection. GnuTLS
doesn't return that though, but returns
GNUTLS_E_UNEXPECTED_PACKET_LENGTH if the connection simply is closed
without a clean close notify packet.
Tested-by: Antti Seppälä <a.seppala@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
| |
This definition is in two files, since the definitions will move
to the private header at the next bump.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| | |
|
| |
|
|
| |
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
TLSv1 is compatible with SSLv3, so this doesn't change much
in terms of compatibility. By explicitly using TLSv1, OpenSSL
sends the server name indication (SNI) header, which we
already set using SSL_set_tlsext_host_name (earlier, this
didn't have any effect).
SNI allows servers to serve SSL content for different host
names with separate certificates on one single port (vhosts).
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
| |
Not used anywhere yet, support for passing options from avio_open() will
follow.
|
| |
|
|
|
| |
Change all uses of these function to pass the relevant
callback on.
|
| | |
|
| |
|
|
| |
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The return value ret isn't an error code that can be passed
to ERR_error_string().
This makes the error messages printed actually contain useful
information.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
|
|
Note, this protocol doesn't yet check verify the server
certificate against a local database of trusted CA root
certificates.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
