1CURLOPT_SSL_OPTIONS(3)     curl_easy_setopt options     CURLOPT_SSL_OPTIONS(3)
2
3
4

NAME

6       CURLOPT_SSL_OPTIONS - SSL behavior options
7

SYNOPSIS

9       #include <curl/curl.h>
10
11       CURLcode  curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bit‐
12       mask);
13

DESCRIPTION

15       Pass a long with a bitmask to tell libcurl about  specific  SSL  behav‐
16       iors. Available bits:
17
18       CURLSSLOPT_ALLOW_BEAST
19              Tells  libcurl to not attempt to use any workarounds for a secu‐
20              rity flaw in the SSL3 and  TLS1.0  protocols.   If  this  option
21              isn't  used  or this bit is set to 0, the SSL layer libcurl uses
22              may use a work-around for this flaw although it might cause  in‐
23              teroperability  problems  with some (older) SSL implementations.
24              WARNING: avoiding this work-around lessens the security, and  by
25              setting  this option to 1 you ask for exactly that.  This option
26              is only supported for Secure Transport, NSS and OpenSSL.
27
28       CURLSSLOPT_NO_REVOKE
29              Tells libcurl to disable certificate revocation checks for those
30              SSL backends where such behavior is present. This option is only
31              supported for Schannel (the native Windows SSL library), with an
32              exception  in  the  case  of Windows' Untrusted Publishers block
33              list which it seems can't be bypassed. (Added in 7.44.0)
34
35       CURLSSLOPT_NO_PARTIALCHAIN
36              Tells libcurl to not accept "partial" certificate chains,  which
37              it  otherwise does by default. This option is only supported for
38              OpenSSL and will fail the certificate verification if the  chain
39              ends  with an intermediate certificate and not with a root cert.
40              (Added in 7.68.0)
41
42       CURLSSLOPT_REVOKE_BEST_EFFORT
43              Tells libcurl to ignore certificate revocation checks in case of
44              missing  or  offline  distribution points for those SSL backends
45              where such behavior is present. This option  is  only  supported
46              for  Schannel (the native Windows SSL library). If combined with
47              CURLSSLOPT_NO_REVOKE, the latter  takes  precedence.  (Added  in
48              7.70.0)
49
50       CURLSSLOPT_NATIVE_CA
51              Tell  libcurl  to use the operating system's native CA store for
52              certificate verification. Works only on Windows  when  built  to
53              use OpenSSL. This option is experimental and behavior is subject
54              to change.  (Added in 7.71.0)
55
56       CURLSSLOPT_AUTO_CLIENT_CERT
57              Tell libcurl to automatically locate and use a  client  certifi‐
58              cate  for authentication, when requested by the server. This op‐
59              tion is only supported for Schannel (the native Windows SSL  li‐
60              brary). Prior to 7.77.0 this was the default behavior in libcurl
61              with Schannel. Since the server can request any certificate that
62              supports  client  authentication  in the OS certificate store it
63              could be a privacy violation and unexpected.  (Added in 7.77.0)
64

DEFAULT

66       0
67

PROTOCOLS

69       All TLS-based protocols
70

EXAMPLE

72       CURL *curl = curl_easy_init();
73       if(curl) {
74         curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
75         /* weaken TLS only for use with silly servers */
76         curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_ALLOW_BEAST |
77                          CURLSSLOPT_NO_REVOKE);
78         ret = curl_easy_perform(curl);
79         curl_easy_cleanup(curl);
80       }
81

AVAILABILITY

83       Added in 7.25.0
84

RETURN VALUE

86       Returns CURLE_OK if the option is supported,  and  CURLE_UNKNOWN_OPTION
87       if not.
88

SEE ALSO

90       CURLOPT_SSLVERSION(3), CURLOPT_SSL_CIPHER_LIST(3),
91
92
93
94libcurl 7.79.1                September 08, 2021        CURLOPT_SSL_OPTIONS(3)
Impressum