diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index bd342a125..e6e412305 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -1888,12 +1888,14 @@ CA certificates and you can specify alternate certificates with the When \fICURLOPT_SSL_VERIFYPEER\fP is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the -option is zero, the connection succeeds regardless. +option is zero, the peer certificate verification succeeds regardless. Authenticating the certificate is not by itself very useful. You typically want to ensure that the server, as authentically identified by its certificate, is the server you mean to be talking to. Use -\fICURLOPT_SSL_VERIFYHOST\fP to control that. +\fICURLOPT_SSL_VERIFYHOST\fP to control that. The check that the host name in +the certificate is valid for the host name you're connecting to is done +independently of the \fICURLOPT_SSL_VERIFYPEER\fP option. .IP CURLOPT_CAINFO Pass a char * to a zero terminated string naming a file holding one or more certificates to verify the peer with. This makes sense only when used in @@ -1951,20 +1953,6 @@ A specific error code (CURLE_SSL_CRL_BADFILE) is defined with the option. It is returned when the SSL exchange fails because the CRL file cannot be loaded. A failure in certificate verification due to a revocation information found in the CRL does not trigger this specific error. (Added in 7.19.0) -.IP CURLOPT_CERTINFO -Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With -this enabled, libcurl (if built with OpenSSL) will extract lots of information -and data about the certificates in the certificate chain used in the SSL -connection. This data is then possible to extract after a transfer using -\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in -7.19.1) -.IP CURLOPT_RANDOM_FILE -Pass a char * to a zero terminated file name. The file will be used to read -from to seed the random engine for SSL. The more random the specified file is, -the more secure the SSL connection will become. -.IP CURLOPT_EGDSOCKET -Pass a char * to the zero terminated path name to the Entropy Gathering Daemon -socket. It will be used to seed the random engine for SSL. .IP CURLOPT_SSL_VERIFYHOST Pass a long as parameter. @@ -1988,10 +1976,25 @@ doesn't matter what name it says. (This is not ordinarily a useful setting). When the value is 0, the connection succeeds regardless of the names in the certificate. -The default, since 7.10, is 2. +The default value for this option is 2. -This option controls checking the server's claimed identity. The server could -be lying. To control lying, see \fICURLOPT_SSL_VERIFYPEER\fP. +This option controls checking the server's certificate's claimed identity. +The server could be lying. To control lying, see +\fICURLOPT_SSL_VERIFYPEER\fP. +.IP CURLOPT_CERTINFO +Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With +this enabled, libcurl (if built with OpenSSL) will extract lots of information +and data about the certificates in the certificate chain used in the SSL +connection. This data is then possible to extract after a transfer using +\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in +7.19.1) +.IP CURLOPT_RANDOM_FILE +Pass a char * to a zero terminated file name. The file will be used to read +from to seed the random engine for SSL. The more random the specified file is, +the more secure the SSL connection will become. +.IP CURLOPT_EGDSOCKET +Pass a char * to the zero terminated path name to the Entropy Gathering Daemon +socket. It will be used to seed the random engine for SSL. .IP CURLOPT_SSL_CIPHER_LIST Pass a char *, pointing to a zero terminated string holding the list of ciphers to use for the SSL connection. The list must be syntactically correct,