| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
* Added SSL_CTX_set_session_id_context()
* Added basic nimdoc
* Raise an error if sessionIdContext is longer than the maximum length
* Update nimdocs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added more SSL documentation to `net` module.
* Changed two of the net.nim doc refs to links.
* Update lib/pure/net.nim doc wording.
Co-authored-by: Dominik Picheta <dominikpicheta@googlemail.com>
* Update lib/pure/net.nim - added space to doc URI
Co-authored-by: alaviss <leorize+oss@disroot.org>
* Fixed another doc URI in net module.
* For net module doc added warning to connect procedure.
* Update net.nim
Co-authored-by: Dominik Picheta <dominikpicheta@googlemail.com>
Co-authored-by: alaviss <leorize+oss@disroot.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* net: allow close() to ignore SSL failures due to disconnections
Comes with this PR is also a SIGPIPE handling contraption.
* net: don't do selectSigpipe() on macOS
macOS sockets have SO_NOSIGPIPE set, so an EPIPE doesn't necessary mean
that a SIGPIPE happened.
* net: fix alreadyBlocked logic
* net: WSAESHUTDOWN is also a disconnection error
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* asyncnet, net: don't attempt SSL_shutdown if a fatal error occurred
Per TLS standard and SSL_shutdown(3ssl). This should prevent errors
coming from a close() after a bad event (ie. the other end of the pipe
is closed before shutdown can be negotiated).
Ref #9867
* tssl: try sending until an error occur
* tssl: cleanup
* tssl: actually run the test
I forgot to make the test run :P
* tssl: run the test on ARC, maybe then it'll be happy
* tssl: turns off ARC, switch tlsEmulation on for freebsd
* tssl: document why tlsEmulation is employed
* net: move SafeDisconn handling logic to socketError
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* {.deprecated: [existsFile: fileExists].}
* s/existsFile/fileExists/ except under deps
* workaround pending #14819
* fix test
|
| | |
|
| | |
|
| |
|
|
|
| |
This reverts commit d53a6355f3ad4401731142d8fc66b95ecfdfb321 and
688b1f250ed058ecc49737dc75fd089206fa25b9.
|
| |
|
|
|
|
|
| |
The default DLLs shipped are too old, switch to CiphersOld list to
ensure compatibility.
This commit should be reverted before any future release.
|
| |
|
|
|
| |
And the fun thing is that currently we use a super old OpenSSL on
Windows.
|
| |
|
|
|
| |
This setting is required for servers running OpenSSL < 1.1.0 to support
EC-based secure ciphers that is now part of the default cipher list.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the `net` module use the blanket "ALL" as the default cipher
list. This list may contain security ciphers that are weak and/or outdated
according to the current standard.
This commit introduces a new module `ssl_config` that contains the
latest OpenSSL configurations as recommended by Mozilla OpSec, and
make the `net` module use the cipher list targeting `intermediate`
compatibility level as the default.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Per SSL_get_error(3):
The current thread's error queue must be empty before the TLS/SSL I/O
operation is attempted, or SSL_get_error() will not work reliably.
There has been records of not clearing the error queue causing weird SSL
errors when there shouldn't be any, see:
https://github.com/openssl/openssl/issues/11889
|
| |
|
|
| |
Now matches the declaration in openssl/err.h
|
| | |
|
| |
|
|
|
|
|
| |
You're supposed to clear the error queue before any I/O operations. Per
SSL_get_error(3) man page.
This reverts commit ee3ed37300743addb1344e39bc46d3cd2b89a718.
|
| |
|
|
|
|
|
| |
Closing a socket clears the error queue of the entire thread, which
seems to be a bit too invasive.
Also I don't find any reason in the PR that added this.
|
| |
|
|
|
|
| |
This commit prevents "SSL_shutdown while in init" errors from happening.
See https://github.com/openssl/openssl/issues/710#issuecomment-253897666
|
| |
|
| |
Refs #13764
|
| |
|
|
|
|
|
| |
* added high level sendTo and recvFrom to std/asyncnet; tests were also added.
* add .since annotation, a changelog entry and fixed to standard library style guide.
* fixes net.recvFrom to work correctly with IPv6
* raise if domain is not AF_INET or AF_INET6
* renamed template to adaptRecvFromToDomain()
|
| |
|
|
| |
* move since from inclrtl to std/private/since
* move since import in system below for HCR
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Error -> Defect for defects
The distinction between Error and Defect is subjective,
context-dependent and somewhat arbitrary, so when looking at an
exception, it's hard to guess what it is - this happens often when
looking at a `raises` list _without_ opening the corresponding
definition and digging through layers of inheritance.
With the help of a little consistency in naming, it's at least possible
to start disentangling the two error types and the standard lib can set
a good example here.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* io: make file descriptors non-inheritable by default
This prevents file descriptors/handles leakage to child processes
that might cause issues like running out of file descriptors, or potential
security issues like leaking a file descriptor to a restricted file.
While this breaks backward compatibility, I'm rather certain that not
many programs (if any) actually make use of this implementation detail.
A new API `setInheritable` is provided for the few that actually want to
use this functionality.
* io: disable inheritance at file creation time for supported platforms
Some platforms provide extension to fopen-family of functions to allow
for disabling descriptor inheritance atomically during File creation.
This guards against possible leaks when a child process is spawned
before we managed to disable the file descriptor inheritance
(ie. in a multi-threaded program).
* net, nativesockets: make sockets non inheritable by default
With this commit, sockets will no longer leak to child processes when
you don't want it to. Should solves a lot of "address in use" that might
occur when your server has just restarted.
All APIs that create sockets in these modules now expose a `inheritable`
flag that allow users to toggle inheritance for the resulting sockets.
An implementation of `setInheritance()` is also provided for SocketHandle.
While atomically disabling inheritance at creation time is supported on
Windows, it's only implemented by native winsock2, which is too much for
now. This support can be implemented in a future patch.
* posix: add F_DUPFD_CLOEXEC
This command duplicates file descriptor with close-on-exec flag set.
Defined in POSIX.1-2008.
* ioselectors_kqueue: don't leak file descriptors
File descriptors internally used by ioselectors on BSD/OSX are now
shielded from leakage.
* posix: add O_CLOEXEC
This flag allows file descriptors to be open() with close-on-exec flag
set atomically.
This flag is specified in POSIX.1-2008
* tfdleak: test for selectors leakage
Also simplified the test by using handle-type agnostic APIs to test for
validity.
* ioselectors_epoll: mark all fd created close-on-exec
File descriptors from ioselectors should no longer leaks on Linux.
* tfdleak: don't check for selector leakage on Windows
The getFd proc for ioselectors_select returns a hardcoded -1
* io: add NoInheritFlag at compile time
* io: add support for ioctl-based close-on-exec
This allows for the flag to be set/unset in one syscall. While the
performance gains might be negliable, we have one less failure point
to deal with.
* tfdleak: add a test for setInheritable
* stdlib: add nimInheritHandles to restore old behaviors
* memfiles: make file handle not inheritable by default for posix
* io: setInheritable now operates on OS file handle
On Windows, the native handle is the only thing that's inheritable, thus
we can assume that users of this function will already have the handle
available to them. This also allows users to pass down file descriptors
from memfiles on Windows with ease, should that be desired.
With this, nativesockets.setInheritable can be made much simpler.
* changelog: clarify
* nativesockets: document setInheritable return value
* posix_utils: atomically disable fd inheritance for mkstemp
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* make i2d_X509 and d2i_X509 always available
i2d_X509 and d2i_X509 have been available in all versions of OpenSSL, so
make them available even if nimDisableCertificateValidation is set.
* introduce getPeerCertificates, fixes #13299
getPeerCertificates retrieves the verified certificate chain of the peer
we are connected to through an SSL-wrapped Socket/AsyncSocket. This
introduces the new type Certificate which stores a DER-encoded X509 certificate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Implement SSL/TLS certificate checking #782
* SSL: Add nimDisableCertificateValidation
Remove NIM_SSL_CERT_VALIDATION env var
tests/untestable/thttpclient_ssl.nim ran successfully on Linux with libssl 1.1.1d
* SSL: update integ test to skip flapping tests
* Revert .travis.yml change
* nimDisableCertificateValidation disable imports
Prevent loading symbols that are not defined on older SSL libs
* SSL: disable verification in net.nim
..when nimDisableCertificateValidation is set
* Update changelog
* Fix peername type
* Add define check for windows
* Disable test on windows
* Add exprimental GitHub action CI for SSL
* Test nimDisableCertificateValidation
|
| |
|
|
| |
(#12754)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* Update OpenSSL example
Fix privkey filename.
Bump up RSA key size.
Add ECDSA example.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
--styleCheck:error
|
| |
|
|
|
|
|
| |
* fixes overloading resolution for passing owned(Future[string]) to Future[T]
* WIP: make --newruntime work with .async
* memtracker: make it compile again
* make Nimble compile again
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Add test
|
| | |
|
| | |
|