1--- 2c: Copyright (C) Daniel Stenberg, <daniel.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_SSL_OPTIONS 5Section: 3 6Source: libcurl 7See-also: 8 - CURLOPT_PROXY_SSL_OPTIONS (3) 9 - CURLOPT_SSLVERSION (3) 10 - CURLOPT_SSL_CIPHER_LIST (3) 11--- 12 13# NAME 14 15CURLOPT_SSL_OPTIONS - SSL behavior options 16 17# SYNOPSIS 18 19~~~c 20#include <curl/curl.h> 21 22CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask); 23~~~ 24 25# DESCRIPTION 26 27Pass a long with a bitmask to tell libcurl about specific SSL 28behaviors. Available bits: 29 30## CURLSSLOPT_ALLOW_BEAST 31 32Tells libcurl to not attempt to use any workarounds for a security flaw in the 33SSL3 and TLS1.0 protocols. If this option is not used or this bit is set to 0, 34the SSL layer libcurl uses may use a work-around for this flaw although it 35might cause interoperability problems with some (older) SSL implementations. 36WARNING: avoiding this work-around lessens the security, and by setting this 37option to 1 you ask for exactly that. This option is only supported for Secure 38Transport and OpenSSL. 39 40## CURLSSLOPT_NO_REVOKE 41 42Tells libcurl to disable certificate revocation checks for those SSL backends 43where such behavior is present. This option is only supported for Schannel 44(the native Windows SSL library), with an exception in the case of Windows' 45Untrusted Publishers block list which it seems cannot be bypassed. (Added in 467.44.0) 47 48## CURLSSLOPT_NO_PARTIALCHAIN 49 50Tells libcurl to not accept "partial" certificate chains, which it otherwise 51does by default. This option is only supported for OpenSSL and fails the 52certificate verification if the chain ends with an intermediate certificate 53and not with a root cert. (Added in 7.68.0) 54 55## CURLSSLOPT_REVOKE_BEST_EFFORT 56 57Tells libcurl to ignore certificate revocation checks in case of missing or 58offline distribution points for those SSL backends where such behavior is 59present. This option is only supported for Schannel (the native Windows SSL 60library). If combined with *CURLSSLOPT_NO_REVOKE*, the latter takes 61precedence. (Added in 7.70.0) 62 63## CURLSSLOPT_NATIVE_CA 64 65Tell libcurl to use the operating system's native CA store for certificate 66verification. If you set this option and also set a CA certificate file or 67directory then during verification those certificates are searched in addition 68to the native CA store. 69 70Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), 71macOS, Android and iOS (added in 8.3.0), with GnuTLS (added in 8.5.0) or on 72Windows when built to use OpenSSL (Added in 7.71.0). 73 74## CURLSSLOPT_AUTO_CLIENT_CERT 75 76Tell libcurl to automatically locate and use a client certificate for 77authentication, when requested by the server. This option is only supported 78for Schannel (the native Windows SSL library). Prior to 7.77.0 this was the 79default behavior in libcurl with Schannel. Since the server can request any 80certificate that supports client authentication in the OS certificate store it 81could be a privacy violation and unexpected. 82(Added in 7.77.0) 83 84# DEFAULT 85 860 87 88# PROTOCOLS 89 90All TLS-based protocols 91 92# EXAMPLE 93 94~~~c 95int main(void) 96{ 97 CURL *curl = curl_easy_init(); 98 if(curl) { 99 CURLcode res; 100 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); 101 /* weaken TLS only for use with silly servers */ 102 curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST | 103 CURLSSLOPT_NO_REVOKE); 104 res = curl_easy_perform(curl); 105 curl_easy_cleanup(curl); 106 } 107} 108~~~ 109 110# AVAILABILITY 111 112Added in 7.25.0 113 114# RETURN VALUE 115 116Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. 117