mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 15:48:49 -05:00
Bryan Henderson's fine update of SSL_VERIFYPEER and SSL_VERIFYHOST
This commit is contained in:
parent
4be2136de4
commit
d12b44204b
@ -999,25 +999,52 @@ operations.
|
||||
Pass a long as parameter. Set what version of SSL to attempt to use, 2 or
|
||||
3. By default, the SSL library will try to solve this by itself although some
|
||||
servers make this difficult why you at times may have to use this option.
|
||||
|
||||
|
||||
.IP CURLOPT_SSL_VERIFYPEER
|
||||
Pass a long that is set to a zero value to stop curl from verifying the peer's
|
||||
certificate (7.10 starting setting this option to non-zero by default).
|
||||
Alternate certificates to verify against can be specified with the
|
||||
\fICURLOPT_CAINFO\fP option or a certificate directory can be specified with
|
||||
the \fICURLOPT_CAPATH\fP option. As of 7.10, curl installs a default bundle.
|
||||
\fICURLOPT_SSL_VERIFYHOST\fP may also need to be set to 1 or 0 if
|
||||
\fICURLOPT_SSL_VERIFYPEER\fP is disabled (it defaults to 2).
|
||||
|
||||
Pass a long as parameter.
|
||||
|
||||
This option determines whether curl verifies the authenticity of the
|
||||
peer's certificate. A nonzero value means curl verifies; zero means it
|
||||
doesn't. The default is nonzero, but before 7.10, it was zero.
|
||||
|
||||
When negotiating an SSL connection, the server sends a certificate
|
||||
indicating its identity. Curl verifies whether the certificate is
|
||||
authentic, i.e. that you can trust that the server is who the
|
||||
certificate says it is. This trust is based on a chain of digital
|
||||
signatures, rooted in certification authority (CA) certificates you
|
||||
supply. As of 7.10, curl installs a default bundle of CA certificates
|
||||
and you can specify alternate certificates with the
|
||||
\fICURLOPT_CAINFO\fP option or the \fICURLOPT_CAPATH\fP option.
|
||||
|
||||
When \fICURLOPT_SSL_VERIFYPEER\fP is nonzero, and the verification
|
||||
fails to prove that the certificate is authentic, the connection
|
||||
fails. When the option is zero, the connection succeeds regardless.
|
||||
|
||||
Authenticating the certificate is not by itself very useful. You
|
||||
typically want to ensure that the server, as authentically identified
|
||||
by its certificate, is the server you mean to be talking to. Use
|
||||
\fICURLOPT_SSL_VERIFYHOST\fP to control that.
|
||||
|
||||
.IP CURLOPT_CAINFO
|
||||
Pass a char * to a zero terminated string naming a file holding one or more
|
||||
certificates to verify the peer with. This only makes sense when used in
|
||||
combination with the \fICURLOPT_SSL_VERIFYPEER\fP option.
|
||||
certificates to verify the peer with. This makes sense only when used in
|
||||
combination with the \fICURLOPT_SSL_VERIFYPEER\fP option. If
|
||||
\fICURLOPT_SSL_VERIFYPEER\fP is zero, \fICURLOPT_CAINFO\fP need not
|
||||
even indicate an accessible file.
|
||||
|
||||
.IP CURLOPT_CAPATH
|
||||
Pass a char * to a zero terminated string naming a directory holding multiple
|
||||
CA certificates to verify the peer with. The certificate directory must be
|
||||
prepared using the openssl c_rehash utility. This only makes sense when used
|
||||
in combination with the \fICURLOPT_SSL_VERIFYPEER\fP option. The
|
||||
\fICURLOPT_CAPATH\fP function apparently does not work in Windows due to some
|
||||
limitation in openssl. (Added in 7.9.8)
|
||||
Pass a char * to a zero terminated string naming a directory holding
|
||||
multiple CA certificates to verify the peer with. The certificate
|
||||
directory must be prepared using the openssl c_rehash utility. This
|
||||
makes sense only when used in combination with the
|
||||
\fICURLOPT_SSL_VERIFYPEER\fP option. If \fICURLOPT_SSL_VERIFYPEER\fP
|
||||
is zero, \fICURLOPT_CAPATH\fP need not even indicate an accessible
|
||||
path. The \fICURLOPT_CAPATH\fP function apparently does not work in
|
||||
Windows due to some limitation in openssl. (Added in 7.9.8)
|
||||
|
||||
|
||||
.IP CURLOPT_RANDOM_FILE
|
||||
Pass a char * to a zero terminated file name. The file will be used to read
|
||||
from to seed the random engine for SSL. The more random the specified file is,
|
||||
@ -1025,10 +1052,38 @@ the more secure the SSL connection will become.
|
||||
.IP CURLOPT_EGDSOCKET
|
||||
Pass a char * to the zero terminated path name to the Entropy Gathering Daemon
|
||||
socket. It will be used to seed the random engine for SSL.
|
||||
|
||||
.IP CURLOPT_SSL_VERIFYHOST
|
||||
Pass a long. Set if we should verify the Common name from the peer certificate
|
||||
in the SSL handshake, set 1 to check existence, 2 to ensure that it matches
|
||||
the provided hostname. This is by default set to 2. (default changed in 7.10)
|
||||
|
||||
Pass a long as parameter.
|
||||
|
||||
This option determines whether curl verifies that the server claims to be
|
||||
who you want it to be.
|
||||
|
||||
When negotiating an SSL connection, the server sends a certificate
|
||||
indicating its identity.
|
||||
|
||||
When \fICURLOPT_SSL_VERIFYHOST\fP is 2, that certificate must indicate
|
||||
that the server is the server to which you meant to connect, or the
|
||||
connection fails.
|
||||
|
||||
Curl considers the server the intended one when the Common Name field
|
||||
or a Subject Alternate Name field in the certificate matches the host
|
||||
name in the URL to which you told Curl to connect.
|
||||
|
||||
When the value is 1, the certificate must contain a Common Name field,
|
||||
but it doesn't matter what name it says. (This is not ordinarily a
|
||||
useful setting).
|
||||
|
||||
When the value is 0, the connection succeeds regardless of the names in
|
||||
the certificate.
|
||||
|
||||
The default, since 7.10, is 2.
|
||||
|
||||
The checking this option controls is of the identity that the server
|
||||
\fIclaims\fP. The server could be lying. To control lying, see
|
||||
\fICURLOPT_SSL_VERIFYPEER\fP.
|
||||
|
||||
.IP CURLOPT_SSL_CIPHER_LIST
|
||||
Pass a char *, pointing to a zero terminated string holding the list of
|
||||
ciphers to use for the SSL connection. The list must be syntactically correct,
|
||||
@ -1040,6 +1095,7 @@ compile OpenSSL.
|
||||
|
||||
You'll find more details about cipher lists on this URL:
|
||||
\fIhttp://www.openssl.org/docs/apps/ciphers.html\fP
|
||||
|
||||
.IP CURLOPT_KRB4LEVEL
|
||||
Pass a char * as parameter. Set the krb4 security level, this also enables
|
||||
krb4 awareness. This is a string, 'clear', 'safe', 'confidential' or
|
||||
|
Loading…
Reference in New Issue
Block a user