1--- 2c: Copyright (C) Daniel Stenberg, <daniel.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_PROXY_SSL_OPTIONS 5Section: 3 6Source: libcurl 7See-also: 8 - CURLOPT_PROXY_SSLVERSION (3) 9 - CURLOPT_PROXY_SSL_CIPHER_LIST (3) 10 - CURLOPT_SSLVERSION (3) 11 - CURLOPT_SSL_CIPHER_LIST (3) 12--- 13 14# NAME 15 16CURLOPT_PROXY_SSL_OPTIONS - HTTPS proxy SSL behavior options 17 18# SYNOPSIS 19 20~~~c 21#include <curl/curl.h> 22 23CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SSL_OPTIONS, 24 long bitmask); 25~~~ 26 27# DESCRIPTION 28 29Pass a long with a bitmask to tell libcurl about specific SSL 30behaviors. Available bits: 31 32## CURLSSLOPT_ALLOW_BEAST 33 34Tells libcurl to not attempt to use any workarounds for a security flaw in the 35SSL3 and TLS1.0 protocols. If this option is not used or this bit is set to 0, 36the SSL layer libcurl uses may use a work-around for this flaw although it 37might cause interoperability problems with some (older) SSL implementations. 38WARNING: avoiding this work-around lessens the security, and by setting this 39option to 1 you ask for exactly that. This option is only supported for Secure 40Transport and OpenSSL. 41 42## CURLSSLOPT_NO_REVOKE 43 44Tells libcurl to disable certificate revocation checks for those SSL backends 45where such behavior is present. This option is only supported for Schannel 46(the native Windows SSL library), with an exception in the case of Windows' 47Untrusted Publishers block list which it seems cannot be bypassed. (Added in 487.44.0) 49 50## CURLSSLOPT_NO_PARTIALCHAIN 51 52Tells libcurl to not accept "partial" certificate chains, which it otherwise 53does by default. This option is only supported for OpenSSL and fails the 54certificate verification if the chain ends with an intermediate certificate 55and not with a root cert. (Added in 7.68.0) 56 57## CURLSSLOPT_REVOKE_BEST_EFFORT 58 59Tells libcurl to ignore certificate revocation checks in case of missing or 60offline distribution points for those SSL backends where such behavior is 61present. This option is only supported for Schannel (the native Windows SSL 62library). If combined with *CURLSSLOPT_NO_REVOKE*, the latter takes 63precedence. (Added in 7.70.0) 64 65## CURLSSLOPT_NATIVE_CA 66 67Tell libcurl to use the operating system's native CA store for certificate 68verification. If you set this option and also set a CA certificate file or 69directory then during verification those certificates are searched in addition 70to the native CA store. 71 72Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), 73macOS, Android and iOS (added in 8.3.0), with GnuTLS (added in 8.5.0) or on 74Windows when built to use OpenSSL (Added in 7.71.0). 75 76## CURLSSLOPT_AUTO_CLIENT_CERT 77 78Tell libcurl to automatically locate and use a client certificate for 79authentication, when requested by the server. This option is only supported 80for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the 81default behavior in libcurl with Schannel. Since the server can request any 82certificate that supports client authentication in the OS certificate store it 83could be a privacy violation and unexpected. 84(Added in 7.77.0) 85 86# DEFAULT 87 880 89 90# PROTOCOLS 91 92All TLS-based protocols 93 94# EXAMPLE 95 96~~~c 97int main(void) 98{ 99 CURL *curl = curl_easy_init(); 100 if(curl) { 101 CURLcode res; 102 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); 103 curl_easy_setopt(curl, CURLOPT_PROXY, "https://proxy"); 104 /* weaken TLS only for use with silly proxies */ 105 curl_easy_setopt(curl, CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_ALLOW_BEAST | 106 CURLSSLOPT_NO_REVOKE); 107 res = curl_easy_perform(curl); 108 curl_easy_cleanup(curl); 109 } 110} 111~~~ 112 113# AVAILABILITY 114 115Added in 7.52.0 116 117# RETURN VALUE 118 119Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. 120