If this option is used several times, the last one will be used.
.IP "--cacert <CA certificate>"
(HTTPS) Tells curl to use the specified certificate file to verify the
-peer. The certificate must be in PEM format.
+peer. The file may contain multiple CA certificates. The certificate(s) must
+be in PEM format.
+
+If this option is used several times, the last one will be used.
+.IP "--capath <CA certificate directory>"
+(HTTPS) Tells curl to use the specified certificate directory to verify the
+peer. The certificates must be in PEM format, and the directory must have been
+processed using the c_rehash utility supplied with openssl. Certificate directories
+are not supported under Windows (because c_rehash uses symbolink links to
+create them). Using --capath can allow curl to make https connections much
+more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is used several times, the last one will be used.
.IP "-f/--fail"
.B CURLOPT_SSL_VERIFYPEER
Pass a long that is set to a non-zero value to make curl verify the peer's
certificate. The certificate to verify against must be specified with the
-CURLOPT_CAINFO option. (Added in 7.4.2)
+CURLOPT_CAINFO option (Added in 7.4.2) or a certificate directory must be specified
+with the CURLOPT_CAPATH option (Added in 7.9.8).
.TP
.B CURLOPT_CAINFO
-Pass a char * to a zero terminated file naming holding the certificate to
-verify the peer with. This only makes sense when used in combination with the
-CURLOPT_SSL_VERIFYPEER option. (Added in 7.4.2)
+Pass a char * to a zero terminated string naming a file holding one or more
+certificates to verify the peer with. This only makes sense when used in
+combination with the CURLOPT_SSL_VERIFYPEER option. (Added in 7.4.2)
+.TP
+.B CURLOPT_CAPATH
+Pass a char * to a zero terminated string naming a directory holding multiple CA
+certificates to verify the peer with. The certificate directory must be prepared using
+the openssl c_rehash utility. This only makes sense when used in combination with the
+CURLOPT_SSL_VERIFYPEER option. The CAPATH function apparently does not work in Windows
+due to some limitation in openssl. (Added in 7.9.8)
.TP
.B CURLOPT_PASSWDFUNCTION
Pass a pointer to a \fIcurl_passwd_callback\fP function that will be called
/* mark this as start of a cookie session */
CINIT(COOKIESESSION, LONG, 96),
+
+ /* The CApath directory used to validate the peer certificate
+ this option is used only if SSL_VERIFYPEER is true */
+ CINIT(CAPATH, OBJECTPOINT, 97),
CURLOPT_LASTENTRY /* the last unusued */
} CURLoption;
void curl_global_cleanup(void);
/* This is the version number */
-#define LIBCURL_VERSION "7.9.7"
-#define LIBCURL_VERSION_NUM 0x070907
+#define LIBCURL_VERSION "7.9.8-pre1"
+#define LIBCURL_VERSION_NUM 0x070908
/* linked-list structure for the CURLOPT_QUOTE option (and other) */
struct curl_slist {
* Set CA info for SSL connection. Specify file name of the CA certificate
*/
data->set.ssl.CAfile = va_arg(param, char *);
- data->set.ssl.CApath = NULL; /*This does not work on windows.*/
+ break;
+ case CURLOPT_CAPATH:
+ /*
+ * Set CA path info for SSL connection. Specify directory name of the CA certificates
+ * which have been prepared using openssl c_rehash utility.
+ */
+ data->set.ssl.CApath = va_arg(param, char *); /*This does not work on windows.*/
break;
case CURLOPT_TELNETOPTIONS:
/*
" --pass <pass> Specifies your passphrase for the private key (HTTPS)");
puts(" --engine <eng> Specifies the crypto engine to use (HTTPS)\n"
" --cacert <file> CA certifciate to verify peer against (SSL)\n"
+ " --capath <directory> CA directory (made using c_rehash) to verify peer against (SSL, NOT Windows)\n"
" --ciphers <list> What SSL ciphers to use (SSL)\n"
" --connect-timeout <seconds> Maximum time allowed for connection\n"
" -f/--fail Fail silently (no output at all) on errors (H)\n"
char *cert;
char *cert_type;
char *cacert;
+ char *capath;
char *key;
char *key_type;
char *key_passwd;
{"Ed","key-type", TRUE},
{"Ee","pass", TRUE},
{"Ef","engine", TRUE},
+ {"Eg","capath ", TRUE},
{"f", "fail", FALSE},
{"F", "form", TRUE},
{"g", "globoff", FALSE},
case 'f': /* crypto engine */
GetStr(&config->engine, nextarg);
break;
+ case 'g': /* CA info PEM file */
+ /* CA cert directory */
+ GetStr(&config->capath, nextarg);
+ break;
default: /* certificate file */
{
char *ptr = strchr(nextarg, ':');
curl_formfree(config->httppost);
if(config->cacert)
free(config->cacert);
+ if(config->capath)
+ free(config->capath);
if(config->cookiejar)
free(config->cookiejar);
curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, config->key_type);
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
- if(config->cacert) {
- curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+ if(config->cacert || config->capath) {
+ if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+ if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
}