CURLINFO_TLS_SSL_PTR.3 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168
  1. .\" **************************************************************************
  2. .\" * _ _ ____ _
  3. .\" * Project ___| | | | _ \| |
  4. .\" * / __| | | | |_) | |
  5. .\" * | (__| |_| | _ <| |___
  6. .\" * \___|\___/|_| \_\_____|
  7. .\" *
  8. .\" * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. .\" *
  10. .\" * This software is licensed as described in the file COPYING, which
  11. .\" * you should have received as part of this distribution. The terms
  12. .\" * are also available at https://curl.se/docs/copyright.html.
  13. .\" *
  14. .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. .\" * copies of the Software, and permit persons to whom the Software is
  16. .\" * furnished to do so, under the terms of the COPYING file.
  17. .\" *
  18. .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. .\" * KIND, either express or implied.
  20. .\" *
  21. .\" * SPDX-License-Identifier: curl
  22. .\" *
  23. .\" **************************************************************************
  24. .\"
  25. .TH CURLINFO_TLS_SSL_PTR 3 "23 Feb 2016" libcurl libcurl
  26. .SH NAME
  27. CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR \- get TLS session info
  28. .SH SYNOPSIS
  29. .nf
  30. #include <curl/curl.h>
  31. CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
  32. struct curl_tlssessioninfo **session);
  33. /* if you need compatibility with libcurl < 7.48.0 use
  34. CURLINFO_TLS_SESSION instead: */
  35. CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
  36. struct curl_tlssessioninfo **session);
  37. .SH DESCRIPTION
  38. Pass a pointer to a \fIstruct curl_tlssessioninfo *\fP. The pointer will be
  39. initialized to refer to a \fIstruct curl_tlssessioninfo *\fP that will contain
  40. an enum indicating the SSL library used for the handshake and a pointer to the
  41. respective internal TLS session structure of this underlying SSL library.
  42. This option may be useful for example to extract certificate information in a
  43. format convenient for further processing, such as manual validation. Refer to
  44. the \fBLIMITATIONS\fP section.
  45. .nf
  46. struct curl_tlssessioninfo {
  47. curl_sslbackend backend;
  48. void *internals;
  49. };
  50. .fi
  51. The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
  52. series: CURLSSLBACKEND_NONE (when built without TLS support),
  53. CURLSSLBACKEND_WOLFSSL, CURLSSLBACKEND_SECURETRANSPORT, CURLSSLBACKEND_GNUTLS,
  54. CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS,
  55. CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_SCHANNEL or
  56. CURLSSLBACKEND_MESALINK. (Note that the OpenSSL forks are all reported as just
  57. OpenSSL here.)
  58. The \fIinternals\fP struct member will point to a TLS library specific pointer
  59. for the active ("in use") SSL connection, with the following underlying types:
  60. .RS
  61. .IP GnuTLS
  62. \fBgnutls_session_t\fP
  63. .IP gskit
  64. \fBgsk_handle\fP
  65. .IP NSS
  66. \fBPRFileDesc *\fP
  67. .IP OpenSSL
  68. \fICURLINFO_TLS_SESSION(3)\fP: \fBSSL_CTX *\fP
  69. \fICURLINFO_TLS_SSL_PTR(3)\fP: \fBSSL *\fP
  70. .RE
  71. Since 7.48.0 the \fIinternals\fP member can point to these other SSL backends
  72. as well:
  73. .RS
  74. .IP mbedTLS
  75. \fBmbedTLS_ssl_context *\fP
  76. .IP "Secure Channel"
  77. \fBCtxtHandle *\fP
  78. .IP "Secure Transport"
  79. \fBSSLContext *\fP
  80. .IP "wolfSSL"
  81. \fBSSL *\fP
  82. .RE
  83. If the \fIinternals\fP pointer is NULL then either the SSL backend is not
  84. supported, an SSL session has not yet been established or the connection is no
  85. longer associated with the easy handle (e.g. curl_easy_perform has returned).
  86. .SH LIMITATIONS
  87. This option has some limitations that could make it unsafe when it comes to
  88. the manual verification of certificates.
  89. This option only retrieves the first in-use SSL session pointer for your easy
  90. handle, however your easy handle may have more than one in-use SSL session if
  91. using FTP over SSL. That is because the FTP protocol has a control channel and
  92. a data channel and one or both may be over SSL. Currently there is no way to
  93. retrieve a second in-use SSL session associated with an easy handle.
  94. This option has not been thoroughly tested with clear text protocols that can
  95. be upgraded/downgraded to/from SSL: FTP, SMTP, POP3, IMAP when used with
  96. \fICURLOPT_USE_SSL(3)\fP. Though you will be able to retrieve the SSL pointer,
  97. it's possible that before you can do that data (including auth) may have
  98. already been sent over a connection after it was upgraded.
  99. Renegotiation. If unsafe renegotiation or renegotiation in a way that the
  100. certificate is allowed to change is allowed by your SSL library this may occur
  101. and the certificate may change, and data may continue to be sent or received
  102. after renegotiation but before you are able to get the (possibly) changed SSL
  103. pointer, with the (possibly) changed certificate information.
  104. If you are using OpenSSL or wolfSSL then \fICURLOPT_SSL_CTX_FUNCTION(3)\fP can
  105. be used to set a certificate verification callback. That is safer than using
  106. this option to poll for certificate changes and does not suffer from any of
  107. the problems above. There is currently no way in libcurl to set a verification
  108. callback for the other SSL backends.
  109. How are you using this option? Are you affected by any of these limitations?
  110. Please let us know by making a comment at
  111. https://github.com/curl/curl/issues/685
  112. .SH PROTOCOLS
  113. All TLS-based
  114. .SH EXAMPLE
  115. .nf
  116. #include <curl/curl.h>
  117. #include <openssl/ssl.h>
  118. CURL *curl;
  119. static size_t wf(void *ptr, size_t size, size_t nmemb, void *stream)
  120. {
  121. const struct curl_tlssessioninfo *info = NULL;
  122. CURLcode res = curl_easy_getinfo(curl, CURLINFO_TLS_SSL_PTR, &info);
  123. if(info && !res) {
  124. if(CURLSSLBACKEND_OPENSSL == info->backend) {
  125. printf("OpenSSL ver. %s\\n", SSL_get_version((SSL*)info->internals));
  126. }
  127. }
  128. return size * nmemb;
  129. }
  130. int main(int argc, char** argv)
  131. {
  132. CURLcode res;
  133. curl = curl_easy_init();
  134. if(curl) {
  135. curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
  136. curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, wf);
  137. res = curl_easy_perform(curl);
  138. curl_easy_cleanup(curl);
  139. }
  140. return res;
  141. }
  142. .fi
  143. .SH AVAILABILITY
  144. Added in 7.48.0.
  145. This option supersedes \fICURLINFO_TLS_SESSION(3)\fP which was added in 7.34.0.
  146. This option is exactly the same as that option except in the case of OpenSSL.
  147. .SH RETURN VALUE
  148. Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
  149. .SH "SEE ALSO"
  150. .BR curl_easy_getinfo "(3), " curl_easy_setopt "(3), "
  151. .BR CURLINFO_TLS_SESSION "(3), "