1CURLOPT_SSL_OPTIONS(3)     curl_easy_setopt options     CURLOPT_SSL_OPTIONS(3)
2
3
4

NAME

6       CURLOPT_SSL_OPTIONS - set SSL behavior options
7

SYNOPSIS

9       #include <curl/curl.h>
10
11       CURLcode  curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bit‐
12       mask);
13

DESCRIPTION

15       Pass a long with a bitmask to tell libcurl about  specific  SSL  behav‐
16       iors. Available bits:
17
18       CURLSSLOPT_ALLOW_BEAST
19              Tells  libcurl to not attempt to use any workarounds for a secu‐
20              rity flaw in the SSL3 and  TLS1.0  protocols.   If  this  option
21              isn't  used  or this bit is set to 0, the SSL layer libcurl uses
22              may use a work-around for this  flaw  although  it  might  cause
23              interoperability problems with some (older) SSL implementations.
24              WARNING: avoiding this work-around lessens the security, and  by
25              setting  this option to 1 you ask for exactly that.  This option
26              is only supported for DarwinSSL, NSS and OpenSSL.
27
28       CURLSSLOPT_NO_REVOKE
29              Tells libcurl to disable certificate revocation checks for those
30              SSL backends where such behavior is present. This option is only
31              supported for Schannel (the native Windows SSL library), with an
32              exception  in  the  case  of Windows' Untrusted Publishers block
33              list which it seems can't be bypassed. (Added in 7.44.0)
34
35       CURLSSLOPT_NO_PARTIALCHAIN
36              Tells libcurl to not accept "partial" certificate chains,  which
37              it  otherwise does by default. This option is only supported for
38              OpenSSL and will fail the certificate verification if the  chain
39              ends  with an intermediate certificate and not with a root cert.
40              (Added in 7.68.0)
41
42       CURLSSLOPT_REVOKE_BEST_EFFORT
43              Tells libcurl to ignore certificate revocation checks in case of
44              missing  or  offline  distribution points for those SSL backends
45              where such behavior is present. This option  is  only  supported
46              for  Schannel (the native Windows SSL library). If combined with
47              CURLSSLOPT_NO_REVOKE, the latter  takes  precedence.  (Added  in
48              7.70.0)
49
50       CURLSSLOPT_NATIVE_CA
51              Tell  libcurl  to use the operating system's native CA store for
52              certificate verification. Works only on Windows  when  built  to
53              use OpenSSL. This option is experimental and behavior is subject
54              to change.  (Added in 7.71.0)
55

DEFAULT

57       0
58

PROTOCOLS

60       All TLS-based protocols
61

EXAMPLE

63       CURL *curl = curl_easy_init();
64       if(curl) {
65         curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
66         /* weaken TLS only for use with silly servers */
67         curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_ALLOW_BEAST |
68                          CURLSSLOPT_NO_REVOKE);
69         ret = curl_easy_perform(curl);
70         curl_easy_cleanup(curl);
71       }
72

AVAILABILITY

74       Added in 7.25.0
75

RETURN VALUE

77       Returns CURLE_OK if the option is supported,  and  CURLE_UNKNOWN_OPTION
78       if not.
79

SEE ALSO

81       CURLOPT_SSLVERSION(3), CURLOPT_SSL_CIPHER_LIST(3),
82
83
84
85libcurl 7.71.1                   June 22, 2020          CURLOPT_SSL_OPTIONS(3)
Impressum