1 .\" **************************************************************************
3 .\" * Project ___| | | | _ \| |
4 .\" * / __| | | | |_) | |
5 .\" * | (__| |_| | _ <| |___
6 .\" * \___|\___/|_| \_\_____|
8 .\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
10 .\" * This software is licensed as described in the file COPYING, which
11 .\" * you should have received as part of this distribution. The terms
12 .\" * are also available at https://curl.haxx.se/docs/copyright.html.
14 .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 .\" * copies of the Software, and permit persons to whom the Software is
16 .\" * furnished to do so, under the terms of the COPYING file.
18 .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 .\" * KIND, either express or implied.
21 .\" **************************************************************************
23 .TH CURLINFO_TLS_SSL_PTR 3 "May 31, 2017" "libcurl 7.59.0" "curl_easy_getinfo options"
26 CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR \- get TLS session info
29 #include <curl/curl.h>
31 CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
32 struct curl_tlssessioninfo **session);
34 /* if you need compatibility with libcurl < 7.48.0 use
35 CURLINFO_TLS_SESSION instead: */
37 CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
38 struct curl_tlssessioninfo **session);
40 Pass a pointer to a 'struct curl_tlssessioninfo *'. The pointer will be
41 initialized to refer to a 'struct curl_tlssessioninfo *' that will contain an
42 enum indicating the SSL library used for the handshake and a pointer to the
43 respective internal TLS session structure of this underlying SSL library.
45 This option may be useful for example to extract certificate information in a
46 format convenient for further processing, such as manual validation. Refer to
47 the \fBLIMITATIONS\fP section.
50 struct curl_tlssessioninfo {
51 curl_sslbackend backend;
56 The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
57 series: CURLSSLBACKEND_NONE (when built without TLS support),
58 CURLSSLBACKEND_AXTLS, CURLSSLBACKEND_CYASSL, CURLSSLBACKEND_DARWINSSL,
59 CURLSSLBACKEND_GNUTLS, CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS,
60 CURLSSLBACKEND_NSS, CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_POLARSSL or
61 CURLSSLBACKEND_SCHANNEL. (Note that the OpenSSL forks are all reported as just
64 The \fIinternals\fP struct member will point to a TLS library specific pointer
65 for the active ("in use") SSL connection, with the following underlying types:
74 CURLINFO_TLS_SESSION: SSL_CTX *
76 CURLINFO_TLS_SSL_PTR: SSL *
78 Since 7.48.0 the \fIinternals\fP member can point to these other SSL backends
87 .IP "Secure Channel (WinSSL)"
89 .IP "Secure Transport (DarwinSSL)"
91 .IP "WolfSSL (formerly CyaSSL)"
95 If the \fIinternals\fP pointer is NULL then either the SSL backend is not
96 supported, an SSL session has not yet been established or the connection is no
97 longer associated with the easy handle (eg curl_easy_perform has returned).
99 \fBThis option has some limitations that could make it unsafe when it comes to
100 the manual verification of certificates.\fP
102 This option only retrieves the first in-use SSL session pointer for your easy
103 handle, however your easy handle may have more than one in-use SSL session if
104 using FTP over SSL. That is because the FTP protocol has a control channel and
105 a data channel and one or both may be over SSL. \fBCurrently there is no way to
106 retrieve a second in-use SSL session associated with an easy handle.\fP
108 This option has not been thoroughly tested with plaintext protocols that can be
109 upgraded/downgraded to/from SSL: FTP, SMTP, POP3, IMAP when used with
110 \fICURLOPT_USE_SSL(3)\fP. Though you will be able to retrieve the SSL pointer,
111 it's possible that before you can do that \fBdata (including auth) may have
112 already been sent over a connection after it was upgraded.\fP
114 Renegotiation. If unsafe renegotiation or renegotiation in a way that the
115 certificate is allowed to change is allowed by your SSL library this may occur
116 and the certificate may change, and \fBdata may continue to be sent or received
117 after renegotiation but before you are able to get the (possibly) changed SSL
118 pointer,\fP with the (possibly) changed certificate information.
120 If you are using OpenSSL or wolfSSL then \fICURLOPT_SSL_CTX_FUNCTION(3)\fP can
121 be used to set a certificate verification callback in the CTX. That is safer
122 than using this option to poll for certificate changes and doesn't suffer from
123 any of the problems above. There is currently no way in libcurl to set a
124 verification callback for the other SSL backends.
126 How are you using this option? Are you affected by any of these limitations?
127 Please let us know by making a comment at
128 https://github.com/curl/curl/issues/685
133 CURL *curl = curl_easy_init();
136 struct curl_tlssessioninfo *tls;
137 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
138 res = curl_easy_perform(curl);
139 curl_easy_getinfo(curl, CURLINFO_TLS_SSL_PTR, &tls);
140 curl_easy_cleanup(curl);
146 This option supersedes \fICURLINFO_TLS_SESSION(3)\fP which was added in 7.34.0.
147 This option is exactly the same as that option except in the case of OpenSSL.
149 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
151 .BR curl_easy_getinfo "(3), " curl_easy_setopt "(3), "
152 .BR CURLINFO_TLS_SESSION "(3), "