quickjs-tart

quickjs-based runtime for wallet-core logic
Log | Files | Refs | README | LICENSE

CURLOPT_PROXY_SSL_OPTIONS.md (4011B)

      1 ---
      2 c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
      3 SPDX-License-Identifier: curl
      4 Title: CURLOPT_PROXY_SSL_OPTIONS
      5 Section: 3
      6 Source: libcurl
      7 See-also:
      8   - CURLOPT_PROXY_SSLVERSION (3)
      9   - CURLOPT_PROXY_SSL_CIPHER_LIST (3)
     10   - CURLOPT_SSLVERSION (3)
     11   - CURLOPT_SSL_CIPHER_LIST (3)
     12 Protocol:
     13   - TLS
     14 TLS-backend:
     15   - All
     16 Added-in: 7.52.0
     17 ---
     18 
     19 # NAME
     20 
     21 CURLOPT_PROXY_SSL_OPTIONS - HTTPS proxy SSL behavior options
     22 
     23 # SYNOPSIS
     24 
     25 ~~~c
     26 #include <curl/curl.h>
     27 
     28 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SSL_OPTIONS,
     29                           long bitmask);
     30 ~~~
     31 
     32 # DESCRIPTION
     33 
     34 Pass a long with a bitmask to tell libcurl about specific SSL
     35 behaviors. Available bits:
     36 
     37 ## CURLSSLOPT_ALLOW_BEAST
     38 
     39 Tells libcurl to not attempt to use any workarounds for a security flaw in the
     40 SSL3 and TLS1.0 protocols. If this option is not used or this bit is set to 0,
     41 the SSL layer libcurl uses may use a work-around for this flaw although it
     42 might cause interoperability problems with some (older) SSL implementations.
     43 WARNING: avoiding this work-around lessens the security, and by setting this
     44 option to 1 you ask for exactly that. This option is only supported for Secure
     45 Transport and OpenSSL.
     46 
     47 ## CURLSSLOPT_NO_REVOKE
     48 
     49 Tells libcurl to disable certificate revocation checks for those SSL backends
     50 where such behavior is present. This option is only supported for Schannel
     51 (the native Windows SSL library), with an exception in the case of Windows'
     52 Untrusted Publishers block list which it seems cannot be bypassed. (Added in
     53 7.44.0)
     54 
     55 ## CURLSSLOPT_NO_PARTIALCHAIN
     56 
     57 Tells libcurl to not accept "partial" certificate chains, which it otherwise
     58 does by default. This option fails the certificate verification if the chain
     59 ends with an intermediate certificate and not with a root cert.
     60 
     61 Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0)
     62 
     63 Works with Schannel if the user specified certificates to verify the peer.
     64 (Added in 8.15.0)
     65 
     66 ## CURLSSLOPT_REVOKE_BEST_EFFORT
     67 
     68 Tells libcurl to ignore certificate revocation checks in case of missing or
     69 offline distribution points for those SSL backends where such behavior is
     70 present. This option is only supported for Schannel (the native Windows SSL
     71 library). If combined with *CURLSSLOPT_NO_REVOKE*, the latter takes
     72 precedence. (Added in 7.70.0)
     73 
     74 ## CURLSSLOPT_NATIVE_CA
     75 
     76 Tell libcurl to use the operating system's native CA store for certificate
     77 verification. This option is independent of other CA certificate locations set
     78 at run time or build time. Those locations are searched in addition to the
     79 native CA store.
     80 
     81 Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
     82 macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
     83 OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
     84 
     85 ## CURLSSLOPT_AUTO_CLIENT_CERT
     86 
     87 Tell libcurl to automatically locate and use a client certificate for
     88 authentication, when requested by the server. This option is only supported
     89 for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the
     90 default behavior in libcurl with Schannel. Since the server can request any
     91 certificate that supports client authentication in the OS certificate store it
     92 could be a privacy violation and unexpected.
     93 (Added in 7.77.0)
     94 
     95 # DEFAULT
     96 
     97 0
     98 
     99 # %PROTOCOLS%
    100 
    101 # EXAMPLE
    102 
    103 ~~~c
    104 int main(void)
    105 {
    106   CURL *curl = curl_easy_init();
    107   if(curl) {
    108     CURLcode res;
    109     curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
    110     curl_easy_setopt(curl, CURLOPT_PROXY, "https://proxy");
    111     /* weaken TLS only for use with silly proxies */
    112     curl_easy_setopt(curl, CURLOPT_PROXY_SSL_OPTIONS, (long)
    113                      CURLSSLOPT_ALLOW_BEAST | CURLSSLOPT_NO_REVOKE);
    114     res = curl_easy_perform(curl);
    115     curl_easy_cleanup(curl);
    116   }
    117 }
    118 ~~~
    119 
    120 # %AVAILABILITY%
    121 
    122 # RETURN VALUE
    123 
    124 curl_easy_setopt(3) returns a CURLcode indicating success or error.
    125 
    126 CURLE_OK (0) means everything was OK, non-zero means an error occurred, see
    127 libcurl-errors(3).