neon

neon is an HTTP and WebDAV client library, with a C interface. Features:

• High-level wrappers for common HTTP and WebDAV operations (GET, MOVE, DELETE, etc)
Low-level interface to the HTTP request/response engine, allowing the use of arbitrary HTTP methods, headers, etc.
• Authentication support including Basic and Digest support, along with GSSAPI-based Negotiate on Unix, and SSPI-based Negotiate/NTLM on Win32
• SSL/TLS support using OpenSSL or GnuTLS; exposing an abstraction layer for verifying server certificates, handling client certificates, and examining certificate properties. Smartcard-based client certificates are also supported via a PKCS#11 wrapper interface.
• Abstract interface to parsing XML using libxml2 or expat, and wrappers for simplifying handling XML HTTP response bodies
• WebDAV metadata support; wrappers for PROPFIND and PROPPATCH to simplify property manipulation.

neon is free software, distributed under the GNU Library GPL.

Patches, feature requests, bug reports, questions etc. can be sent to the neon mailing list (for which a web archive is also available). The neon-commits list receives commit messages from the Subversion repository.

Current Release

Please note: The neon API is subject to backwards-incompatible change over minor versions (0.24.x -> 0.25.x) but is stable across patch releases (0.24.0 -> 0.24.x).

• Source code: neon-0.29.6.tar.gz
• Reference documention
• Subversion repository

Changes in release neon 0.29.6, 3 May 2011 (PGP signature)

• Don't abort SSL handshake with GnuTLS if a client cert is requested but none is configured/available (thanks to Patrick Ohly)
• Fix GnuTLS build with Nettle (Arfrever Frehtes Taifersar Arahesis)
• Win32: Fix handling of SSPI challenges (Ivan Zhakov)
• Fix the method string passed to create_request hooks to have the same lifetime as the request object (Patrick Ohly)
• Docs updates.

Changes in release neon 0.29.5, 14 October 2010 (PGP signature)

• Fix GnuTLS handshakes failures with 'TLS warning alert' (Bryan Cain)
• Further fix for SSPI support on Win32 (Danil Shopyrin)

Changes in release neon 0.29.4, 1 October 2010 (PGP signature)

• Fix SNI support (Tobias Gruetzmacher)
• Fix possible Solaris linker errors if building static library
• Win32: Fix Kerberos authentication support with SSPI (Danil Shopyrin)
• Fix error handling when pulling a request body from an file (thanks to Lou Montulli)
• Fix ne_request_dispatch() return value for SOCKS proxy failure cases
• Tighten SSL cert ID checks to deny a wildcard match against an IP address

Changes in release neon 0.29.3, 11 January 2010 (PGP signature)

• Change ne_sock_close() to no longer wait for SSL closure alert:
  • fixes possible hang with IIS servers when closing SSL connection
  • this reverts the behaviour with OpenSSL to match 0.28.x, and changes the behaviour with GnuTLS to match that with OpenSSL
• Fix memory leak with GnuTLS
• API clarification in ne_sock_close():
  • SSL closure handling now documented
  • return value semantics fixed to describe the implementation

Changes in release neon 0.29.2, 30 December 2009 (PGP signature)

• Fix spurious 'certificate verify failed' errors with OpenSSL (Tom C)
• Fix unnecessary re-authentication with SSPI (Danil Shopyrin)
  • Note that this change was previously listed in the 0.29.1 changes, however the patch had not been merged.

Changes in release neon 0.29.1, 15 December 2009 (PGP signature)

• Fixes for (Unix) NTLM implementation:
  • fix handling of session timeout (Kai Sommerfeld)
  • fix possible crash (basic@mozdev.org)
• Build fixes for Win32:
  • fix use of socklen_t with recent SDKs (Stefan Kung)
  • fix USE_GETADDRINFO on Win2K (Kai Sommerfeld)
• Fix build with versions of GnuTLS older than 2.8.0.

Changes in release neon 0.29.0, 13 September 2009 (PGP signature)

• Interface changes:
  • none, API and ABI backwards-compatible with 0.28.x and 0.27.x
• New interfaces and features:
  • added NTLM auth support for Unix builds (Kai Sommerfeld, Daniel Stenberg)
  • ne_auth.h: added NE_AUTH_GSSAPI and NE_AUTH_NTLM auth protocol codes
  • added ne_acl3744.h, updated WebDAV ACL support (Henrik Holst)
  • added built-in SOCKS v4/v4a/v5 support: ne_socket.h:ne_sock_proxy(), and ne_session.h:ne_session_socks_proxy()
  • added support for system-default proxies: ne_session_system_proxy(), implemented using libproxy where available
  • ne_session.h: added NE_SESSFLAG_EXPECT100 session flag, SSL verification failure bits extended by NE_SSL_BADCHAIN and NE_SSL_REVOKED, better handling of failures within the cert chain (thanks to Ludwig Nussel)
  • ne_socket.h: ne_sock_writev() (Julien Reichel), ne_sock_set_error(), ne_iaddr_raw(), ne_iaddr_parse()
  • ne_string.h: ne_buffer_qappend(), ne_strnqdup()
• Deprecated interfaces:
  • ne_acl.h is obsoleted by ne_acl3744.h (but is still present)
  • obsolete feature "NE_FEATURE_SOCKS" now never marked present
• Other changes:
  • fix handling of "stale" flag in RFC2069-style Digest auth challenge
  • ne_free() implemented as a function on Win32 (thanks to Helge Hess)
  • symbol versioning used for new symbols, where supported
  • ensure SSL connections are closed cleanly with OpenSSL
  • fix build with OpenSSL 1.0 beta
  • updated Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis)

Changes in release neon 0.28.6, 18 August 2009 (PGP signature)

• SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat; could allow a Denial of Service attack by a malicious server.
• SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a certificate subject name; could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert.
  Note: CVE-2009-2474 does affect use of GnuTLS as well as OpenSSL, contrary to previous announcement.

Release history