neon

neon is an HTTP and WebDAV client library, with a C interface. Features:

• High-level wrappers for common HTTP and WebDAV operations (GET, MOVE, DELETE, etc)
Low-level interface to the HTTP request/response engine, allowing the use of arbitrary HTTP methods, headers, etc.
• Authentication support including Basic and Digest support, along with GSSAPI-based Negotiate on Unix, and SSPI-based Negotiate/NTLM on Win32
• SSL/TLS support using OpenSSL or GnuTLS; exposing an abstraction layer for verifying server certificates, handling client certificates, and examining certificate properties. Smartcard-based client certificates are also supported via a PKCS#11 wrapper interface.
• Abstract interface to parsing XML using libxml2 or expat, and wrappers for simplifying handling XML HTTP response bodies
• WebDAV metadata support; wrappers for PROPFIND and PROPPATCH to simplify property manipulation.

neon is free software, distributed under the GNU Library GPL.

Patches, feature requests, bug reports, questions etc. can be sent to the neon mailing list (for which a web archive is also available). The neon-commits list receives commit messages from the Subversion repository.

Current Release

Please note: The neon API is subject to backwards-incompatible change over minor versions (0.24.x -> 0.25.x) but is stable across patch releases (0.24.0 -> 0.24.x).

• Source code: neon-0.29.0.tar.gz
• Reference documention
• Subversion repository

Changes in release neon 0.29.0, 13 September 2009 (PGP signature)

• Interface changes:
  • none, API and ABI backwards-compatible with 0.28.x and 0.27.x
• New interfaces and features:
  • added NTLM auth support for Unix builds (Kai Sommerfeld, Daniel Stenberg)
  • ne_auth.h: added NE_AUTH_GSSAPI and NE_AUTH_NTLM auth protocol codes
  • added ne_acl3744.h, updated WebDAV ACL support (Henrik Holst)
  • added built-in SOCKS v4/v4a/v5 support: ne_socket.h:ne_sock_proxy(), and ne_session.h:ne_session_socks_proxy()
  • added support for system-default proxies: ne_session_system_proxy(), implemented using libproxy where available
  • ne_session.h: added NE_SESSFLAG_EXPECT100 session flag, SSL verification failure bits extended by NE_SSL_BADCHAIN and NE_SSL_REVOKED, better handling of failures within the cert chain (thanks to Ludwig Nussel)
  • ne_socket.h: ne_sock_writev() (Julien Reichel), ne_sock_set_error(), ne_iaddr_raw(), ne_iaddr_parse()
  • ne_string.h: ne_buffer_qappend(), ne_strnqdup()
• Deprecated interfaces:
  • ne_acl.h is obsoleted by ne_acl3744.h (but is still present)
  • obsolete feature "NE_FEATURE_SOCKS" now never marked present
• Other changes:
  • fix handling of "stale" flag in RFC2069-style Digest auth challenge
  • ne_free() implemented as a function on Win32 (thanks to Helge Hess)
  • symbol versioning used for new symbols, where supported
  • ensure SSL connections are closed cleanly with OpenSSL
  • fix build with OpenSSL 1.0 beta
  • updated Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis)

Changes in release neon 0.28.6, 18 August 2009 (PGP signature)

• SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat; could allow a Denial of Service attack by a malicious server.
• SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a certificate subject name; could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert.
  Note: CVE-2009-2474 does affect GnuTLS as well as OpenSSL, contrary to previous announcement.

Release history