Revert "Imported Upstream version 7.53.1"

[platform/upstream/curl.git] / docs / libcurl / opts / CURLINFO_TLS_SSL_PTR.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>CURLINFO_TLS_SSL_PTR man page</title>
<meta name="generator" content="roffit">
<STYLE type="text/css">
pre {
  overflow: auto;
  margin: 0;
}

P.level0, pre.level0 {
 padding-left: 2em;
}

P.level1, pre.level1 {
 padding-left: 4em;
}

P.level2, pre.level2 {
 padding-left: 6em;
}

span.emphasis {
 font-style: italic;
}

span.bold {
 font-weight: bold;
}

span.manpage {
 font-weight: bold;
}

h2.nroffsh {
 background-color: #e0e0e0;
}

span.nroffip {
 font-weight: bold;
 font-size: 120%;
 font-family: monospace;
}

p.roffit {
 text-align: center;
 font-size: 80%;
}
</STYLE>
</head><body>

<p class="level0"><a name="NAME"></a><h2 class="nroffsh">NAME</h2>
<p class="level0">CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR - get TLS session info <a name="SYNOPSIS"></a><h2 class="nroffsh">SYNOPSIS</h2>
<p class="level0"><pre class="level0">
&#35;include &lt;curl/curl.h&gt;
&nbsp;
CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
&nbsp;                          struct curl_tlssessioninfo **session);
&nbsp;
/* if you need compatibility with libcurl &lt; 7.48.0 use
&nbsp;  CURLINFO_TLS_SESSION instead: */
&nbsp;
CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
&nbsp;                          struct curl_tlssessioninfo **session);
</pre>
<a name="DESCRIPTION"></a><h2 class="nroffsh">DESCRIPTION</h2>
<p class="level0">Pass a pointer to a 'struct curl_tlssessioninfo *'.  The pointer will be initialized to refer to a 'struct curl_tlssessioninfo *' that will contain an enum indicating the SSL library used for the handshake and a pointer to the respective internal TLS session structure of this underlying SSL library. 
<p class="level0">This option may be useful for example to extract certificate information in a format convenient for further processing, such as manual validation. Refer to the <a class="bold" href="#LIMITATIONS">LIMITATIONS</a> section. 
<p class="level0"><pre class="level0">
struct curl_tlssessioninfo {
&nbsp; curl_sslbackend backend;
&nbsp; void *internals;
};
</pre>

<p class="level0">
<p class="level0">The <span Class="emphasis">backend</span> struct member is one of the defines in the CURLSSLBACKEND_* series: CURLSSLBACKEND_NONE (when built without TLS support), CURLSSLBACKEND_AXTLS, CURLSSLBACKEND_CYASSL, CURLSSLBACKEND_DARWINSSL, CURLSSLBACKEND_GNUTLS, CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS, CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_POLARSSL or CURLSSLBACKEND_SCHANNEL. (Note that the OpenSSL forks are all reported as just OpenSSL here.) 
<p class="level0">The <span Class="emphasis">internals</span> struct member will point to a TLS library specific pointer for the active ("in use") SSL connection, with the following underlying types: 
<p class="level1">
<p class="level0"><a name="GnuTLS"></a><span class="nroffip">GnuTLS</span> 
<p class="level1">gnutls_session_t 
<p class="level0"><a name="gskit"></a><span class="nroffip">gskit</span> 
<p class="level1">gsk_handle 
<p class="level0"><a name="NSS"></a><span class="nroffip">NSS</span> 
<p class="level1">PRFileDesc * 
<p class="level0"><a name="OpenSSL"></a><span class="nroffip">OpenSSL</span> 
<p class="level1">CURLINFO_TLS_SESSION: SSL_CTX * 
<p class="level1">CURLINFO_TLS_SSL_PTR: SSL * 
<p class="level0">Since 7.48.0 the <span Class="emphasis">internals</span> member can point to these other SSL backends as well: 
<p class="level1">
<p class="level0"><a name="axTLS"></a><span class="nroffip">axTLS</span> 
<p class="level1">SSL * 
<p class="level0"><a name="mbedTLS"></a><span class="nroffip">mbedTLS</span> 
<p class="level1">mbedtls_ssl_context * 
<p class="level0"><a name="PolarSSL"></a><span class="nroffip">PolarSSL</span> 
<p class="level1">ssl_context * 
<p class="level0"><a name="Secure"></a><span class="nroffip">Secure Channel (WinSSL)</span> 
<p class="level1">CtxtHandle * 
<p class="level0"><a name="Secure"></a><span class="nroffip">Secure Transport (DarwinSSL)</span> 
<p class="level1">SSLContext * 
<p class="level0"><a name="WolfSSL"></a><span class="nroffip">WolfSSL (formerly CyaSSL)</span> 
<p class="level1">SSL * 
<p class="level0">
<p class="level0">If the <span Class="emphasis">internals</span> pointer is NULL then either the SSL backend is not supported, an SSL session has not yet been established or the connection is no longer associated with the easy handle (eg curl_easy_perform has returned). <a name="LIMITATIONS"></a><h2 class="nroffsh">LIMITATIONS</h2>
<p class="level0"><span class="bold">This option has some limitations that could make it unsafe when it comes to the manual verification of certificates.</span> 
<p class="level0">This option only retrieves the first in-use SSL session pointer for your easy handle, however your easy handle may have more than one in-use SSL session if using FTP over SSL. That is because the FTP protocol has a control channel and a data channel and one or both may be over SSL. <span class="bold">Currently there is no way to retrieve a second in-use SSL session associated with an easy handle.</span> 
<p class="level0">This option has not been thoroughly tested with plaintext protocols that can be upgraded/downgraded to/from SSL: FTP, SMTP, POP3, IMAP when used with <a Class="emphasis" href="./CURLOPT_USE_SSL.html">CURLOPT_USE_SSL</a>. Though you will be able to retrieve the SSL pointer, it's possible that before you can do that <span class="bold">data (including auth) may have already been sent over a connection after it was upgraded.</span> 
<p class="level0">Renegotiation. If unsafe renegotiation or renegotiation in a way that the certificate is allowed to change is allowed by your SSL library this may occur and the certificate may change, and <span class="bold">data may continue to be sent or received after renegotiation but before you are able to get the (possibly) changed SSL pointer,</span> with the (possibly) changed certificate information. 
<p class="level0">If you are using OpenSSL or wolfSSL then <a Class="emphasis" href="./CURLOPT_SSL_CTX_FUNCTION.html">CURLOPT_SSL_CTX_FUNCTION</a> can be used to set a certificate verification callback in the CTX. That is safer than using this option to poll for certificate changes and doesn't suffer from any of the problems above. There is currently no way in libcurl to set a verification callback for the other SSL backends. 
<p class="level0">How are you using this option? Are you affected by any of these limitations? Please let us know by making a comment at <a href="https://github.com/curl/curl/issues/685">https://github.com/curl/curl/issues/685</a> <a name="PROTOCOLS"></a><h2 class="nroffsh">PROTOCOLS</h2>
<p class="level0">All TLS-based <a name="EXAMPLE"></a><h2 class="nroffsh">EXAMPLE</h2>
<p class="level0">TODO <a name="AVAILABILITY"></a><h2 class="nroffsh">AVAILABILITY</h2>
<p class="level0">Added in 7.48.0. 
<p class="level0">This option supersedes <a Class="emphasis" href="./CURLINFO_TLS_SESSION.html">CURLINFO_TLS_SESSION</a> which was added in 7.34.0. This option is exactly the same as that option except in the case of OpenSSL. <a name="RETURN"></a><h2 class="nroffsh">RETURN VALUE</h2>
<p class="level0">Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. <a name="SEE"></a><h2 class="nroffsh">SEE ALSO</h2>
<p class="level0"><span Class="manpage">curl_easy_getinfo (3)</span>, <span Class="manpage">curl_easy_setopt (3)</span>, <a Class="manpage" href="./CURLINFO_TLS_SESSION.html">CURLINFO_TLS_SESSION</a><p class="roffit">
 This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</body></html>