123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 |
- .\" **************************************************************************
- .\" * _ _ ____ _
- .\" * Project ___| | | | _ \| |
- .\" * / __| | | | |_) | |
- .\" * | (__| |_| | _ <| |___
- .\" * \___|\___/|_| \_\_____|
- .\" *
- .\" * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
- .\" * are also available at https://curl.se/docs/copyright.html.
- .\" *
- .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- .\" * copies of the Software, and permit persons to whom the Software is
- .\" * furnished to do so, under the terms of the COPYING file.
- .\" *
- .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- .\" * KIND, either express or implied.
- .\" *
- .\" * SPDX-License-Identifier: curl
- .\" *
- .\" **************************************************************************
- .\"
- .TH CURLINFO_TLS_SSL_PTR 3 "23 Feb 2016" libcurl libcurl
- .SH NAME
- CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR \- get TLS session info
- .SH SYNOPSIS
- .nf
- #include <curl/curl.h>
- CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
- struct curl_tlssessioninfo **session);
- /* if you need compatibility with libcurl < 7.48.0 use
- CURLINFO_TLS_SESSION instead: */
- CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
- struct curl_tlssessioninfo **session);
- .SH DESCRIPTION
- Pass a pointer to a \fIstruct curl_tlssessioninfo *\fP. The pointer will be
- initialized to refer to a \fIstruct curl_tlssessioninfo *\fP that will contain
- an enum indicating the SSL library used for the handshake and a pointer to the
- respective internal TLS session structure of this underlying SSL library.
- This option may be useful for example to extract certificate information in a
- format convenient for further processing, such as manual validation. Refer to
- the \fBLIMITATIONS\fP section.
- .nf
- struct curl_tlssessioninfo {
- curl_sslbackend backend;
- void *internals;
- };
- .fi
- The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
- series: CURLSSLBACKEND_NONE (when built without TLS support),
- CURLSSLBACKEND_WOLFSSL, CURLSSLBACKEND_SECURETRANSPORT, CURLSSLBACKEND_GNUTLS,
- CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS,
- CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_SCHANNEL or
- CURLSSLBACKEND_MESALINK. (Note that the OpenSSL forks are all reported as just
- OpenSSL here.)
- The \fIinternals\fP struct member will point to a TLS library specific pointer
- for the active ("in use") SSL connection, with the following underlying types:
- .RS
- .IP GnuTLS
- \fBgnutls_session_t\fP
- .IP gskit
- \fBgsk_handle\fP
- .IP NSS
- \fBPRFileDesc *\fP
- .IP OpenSSL
- \fICURLINFO_TLS_SESSION(3)\fP: \fBSSL_CTX *\fP
- \fICURLINFO_TLS_SSL_PTR(3)\fP: \fBSSL *\fP
- .RE
- Since 7.48.0 the \fIinternals\fP member can point to these other SSL backends
- as well:
- .RS
- .IP mbedTLS
- \fBmbedTLS_ssl_context *\fP
- .IP "Secure Channel"
- \fBCtxtHandle *\fP
- .IP "Secure Transport"
- \fBSSLContext *\fP
- .IP "wolfSSL"
- \fBSSL *\fP
- .RE
- If the \fIinternals\fP pointer is NULL then either the SSL backend is not
- supported, an SSL session has not yet been established or the connection is no
- longer associated with the easy handle (e.g. curl_easy_perform has returned).
- .SH LIMITATIONS
- This option has some limitations that could make it unsafe when it comes to
- the manual verification of certificates.
- This option only retrieves the first in-use SSL session pointer for your easy
- handle, however your easy handle may have more than one in-use SSL session if
- using FTP over SSL. That is because the FTP protocol has a control channel and
- a data channel and one or both may be over SSL. Currently there is no way to
- retrieve a second in-use SSL session associated with an easy handle.
- This option has not been thoroughly tested with clear text protocols that can
- be upgraded/downgraded to/from SSL: FTP, SMTP, POP3, IMAP when used with
- \fICURLOPT_USE_SSL(3)\fP. Though you will be able to retrieve the SSL pointer,
- it's possible that before you can do that data (including auth) may have
- already been sent over a connection after it was upgraded.
- Renegotiation. If unsafe renegotiation or renegotiation in a way that the
- certificate is allowed to change is allowed by your SSL library this may occur
- and the certificate may change, and data may continue to be sent or received
- after renegotiation but before you are able to get the (possibly) changed SSL
- pointer, with the (possibly) changed certificate information.
- If you are using OpenSSL or wolfSSL then \fICURLOPT_SSL_CTX_FUNCTION(3)\fP can
- be used to set a certificate verification callback. That is safer than using
- this option to poll for certificate changes and does not suffer from any of
- the problems above. There is currently no way in libcurl to set a verification
- callback for the other SSL backends.
- How are you using this option? Are you affected by any of these limitations?
- Please let us know by making a comment at
- https://github.com/curl/curl/issues/685
- .SH PROTOCOLS
- All TLS-based
- .SH EXAMPLE
- .nf
- #include <curl/curl.h>
- #include <openssl/ssl.h>
- CURL *curl;
- static size_t wf(void *ptr, size_t size, size_t nmemb, void *stream)
- {
- const struct curl_tlssessioninfo *info = NULL;
- CURLcode res = curl_easy_getinfo(curl, CURLINFO_TLS_SSL_PTR, &info);
- if(info && !res) {
- if(CURLSSLBACKEND_OPENSSL == info->backend) {
- printf("OpenSSL ver. %s\\n", SSL_get_version((SSL*)info->internals));
- }
- }
- return size * nmemb;
- }
- int main(int argc, char** argv)
- {
- CURLcode res;
- curl = curl_easy_init();
- if(curl) {
- curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
- curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, wf);
- res = curl_easy_perform(curl);
- curl_easy_cleanup(curl);
- }
- return res;
- }
- .fi
- .SH AVAILABILITY
- Added in 7.48.0.
- This option supersedes \fICURLINFO_TLS_SESSION(3)\fP which was added in 7.34.0.
- This option is exactly the same as that option except in the case of OpenSSL.
- .SH RETURN VALUE
- Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
- .SH "SEE ALSO"
- .BR curl_easy_getinfo "(3), " curl_easy_setopt "(3), "
- .BR CURLINFO_TLS_SESSION "(3), "
|