FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.4.0 2026-02-26T18:00:38Z 2026-02-26T18:00:38Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-21T01:18:15Z urn:sha1:ca76ec7c4e563292a0c75781683b0421a4439a02 This fixes an issue where the first address that DNS returns is blocked by a packet filter, so we hang for a while, then the user hits Ctrl-C, interrupting connect(2), whereupon we move on to the next address, get a connection, request the file, and return to fetch(1), which sees that SIGINT was caught and bails. Note that we make no attempt to enforce fetchTimeout in the connection phase, and never have. It's feasible, but non-trivial, so we'll leave it as an exercise for future us. PR: 293312 MFC after: 1 week Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D55406 (cherry picked from commit afbdcd402bb439bd3d487baaad63b68e95929265) (cherry picked from commit cca6f5eadb796b03379eb21f38c74ca46a64e45b) 2026-02-19T19:21:21Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-18T15:10:47Z urn:sha1:8755b5f3a590560996fb122abe22644d3be3836a PR: 293124 MFC after: 1 week Fixes: 792ef1ae7b94 ("Refactor fetch_connect() and fetch_bind() to improve readability and avoid repeating the same DNS lookups.") Reverts: 8f8a7f6fffd7 ("libfetch: apply timeout to SSL_read()") Reviewed by: eugen, imp Differential Revision: https://reviews.freebsd.org/D55293 (cherry picked from commit 73b82d1b0a2f09224e6d0f7a13dd73c66d740207) (insta-mfc requested by re@) (cherry picked from commit d97c824f5b4c9e7e3a1400699022cba146e450fa) 2026-02-12T21:24:34Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-07T14:24:40Z urn:sha1:53e0a1d1ff9b9a8bd27fa65e0f84ca95f0e41298 * Drop the ssl_meth member, there is no reason to hang on to it. * Replace deprecated SSLv23_client_method() with TLS_client_method(). * Check the return value from SSL_CTX_new(). Approved by: re (cperciva) MFC after: 1 week PR: 292903 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D55098 (cherry picked from commit 4e160c6197f75fda3d5d5997ce893087058cf718) (cherry picked from commit 4781aeb5b9cb564a53fee8128f6827402deaf9df) 2026-01-25T04:16:30Z Eugene Grosbein eugen@FreeBSD.org 2026-01-22T14:37:54Z urn:sha1:c41b12651a80e5c3c227e7428c2804f66ec17f2c (cherry picked from commit 129aec72250266e60c07ff4643623188f7c27a9d) 2026-01-25T04:13:02Z Eugene Grosbein eugen@FreeBSD.org 2026-01-22T08:40:35Z urn:sha1:fae1c84e95f7be4deacdab8a97f140714d8d2ae8 Currently, fetchTimeout works for non-SSL connections only, so does fetch -T. Fix it applying specified timeout to SSL_read(). (cherry picked from commit 8f8a7f6fffd7dca09013f7c4bfa075bc3825fb8e) 2025-08-25T13:57:56Z Ricardo Branco rbranco@suse.de 2025-07-14T20:10:38Z urn:sha1:a58eb4d233bfdddff243faec071f8dc18d3e5492 With the recent inclusion of the FD_CLOFORK and FD_RESOLVE_BENEATH flags, we must avoid clearing them when setting only FD_CLOEXEC. Signed-off-by: Ricardo Branco <rbranco@suse.de> Reviewed by: kib, markj MFC after: 1 month Pull Request: https://github.com/freebsd/freebsd-src/pull/1766 (cherry picked from commit 8768b60de16a3d72a8783ec1241a711a782a36a9) 2024-09-05T14:05:15Z Pietro Cerutti gahr@FreeBSD.org 2024-08-21T12:35:27Z urn:sha1:ab7a79806e3103accb1ba2d89ba51e977704a2e3 Fragments are reserved for client-side processing, see https://www.rfc-editor.org/rfc/rfc9110.html#section-7.1 Also, some servers don't like to receive HTTP requests with fragments. ``` $ fetch 'https://dropbox.com/a/b' fetch: https://dropbox.com/a/b: Not Found $ fetch 'https://dropbox.com/a/b#' fetch: https://dropbox.com/a/b#: Bad Request ``` This is a real-world scenario, where some download link from dropbox (eventually) redirects to an URL with a fragment: ``` $ fetch -v 'https://www.dropbox.com/sh/<some>/<thing>?dl=1' 2>&1 | grep requesting requesting https://www.dropbox.com/sh/<some>/<thing>?dl=1 requesting https://www.dropbox.com/scl/fo/<foo>/<bar>?rlkey=<baz>&dl=1 requesting https://<boo>.dl.dropboxusercontent.com/zip_download_get/<some-long-strig># ``` See how the last redirect ends with a `#`. Currently, libfetch includes the ending fragment and makes it impossible to download the file. Differential Revision: https://reviews.freebsd.org/D46318 MFC after: 2 weeks (cherry picked from commit 1af7d5f389536a2f391153513d95d92ffdf360e4) 2024-04-03T19:11:58Z Ka Ho Ng khng@FreeBSD.org 2024-03-25T20:10:42Z urn:sha1:72c3d91294c4d9c46c8185f90cba522f539d1051 This improves URL-parsing compability with cURL, and unbreaks parsing of similar kinds of URLs after commit 8d9de5b10a24. Sponsored by: Juniper Networks, Inc. Reviewed by: des MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D44493 (cherry picked from commit fb860ed0c52c2c1e7792ef86718620a439663c7f) 2023-12-13T16:23:57Z Dag-Erling Smørgrav des@FreeBSD.org 2023-10-08T04:35:15Z urn:sha1:6d0ea82cc2520726e49d9f03e1b67734608139e7 MFC after: 3 days Reviewed by: kevans, emaste Differential Revision: https://reviews.freebsd.org/D42119 (cherry picked from commit 2821a7498f65d357c68166e1978b491abef1ca4a) 2023-10-05T00:03:16Z Michael Osipov michael.osipov@siemens.com 2023-10-03T05:53:20Z urn:sha1:fb058a9a40a5adc82721ed822fb4fba213446a7b Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59)