aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2011-01-19 12:54:17 +0100
committerDaniel Stenberg <daniel@haxx.se>2011-01-19 12:54:17 +0100
commitb35622f387e7c85d7eba7c8af1a9ee6dcbee5dc0 (patch)
treec0485d942c89268ff1c3ff5103849b99d39c2bb0
parentce24fdaa2cc5cbeef6be44131fdb81be799b5a6c (diff)
curl_easy_setopt.3: clarify VERIFYHOST/PEER
Extended the descriptions somewhat and made the options get listed next to each other.
-rw-r--r--docs/libcurl/curl_easy_setopt.341
1 files changed, 22 insertions, 19 deletions
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index bd342a125..e6e412305 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -1888,12 +1888,14 @@ CA certificates and you can specify alternate certificates with the
When \fICURLOPT_SSL_VERIFYPEER\fP is nonzero, and the verification fails to
prove that the certificate is authentic, the connection fails. When the
-option is zero, the connection succeeds regardless.
+option is zero, the peer certificate verification succeeds regardless.
Authenticating the certificate is not by itself very useful. You typically
want to ensure that the server, as authentically identified by its
certificate, is the server you mean to be talking to. Use
-\fICURLOPT_SSL_VERIFYHOST\fP to control that.
+\fICURLOPT_SSL_VERIFYHOST\fP to control that. The check that the host name in
+the certificate is valid for the host name you're connecting to is done
+independently of the \fICURLOPT_SSL_VERIFYPEER\fP option.
.IP CURLOPT_CAINFO
Pass a char * to a zero terminated string naming a file holding one or more
certificates to verify the peer with. This makes sense only when used in
@@ -1951,20 +1953,6 @@ A specific error code (CURLE_SSL_CRL_BADFILE) is defined with the option. It
is returned when the SSL exchange fails because the CRL file cannot be loaded.
A failure in certificate verification due to a revocation information found in
the CRL does not trigger this specific error. (Added in 7.19.0)
-.IP CURLOPT_CERTINFO
-Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
-this enabled, libcurl (if built with OpenSSL) will extract lots of information
-and data about the certificates in the certificate chain used in the SSL
-connection. This data is then possible to extract after a transfer using
-\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in
-7.19.1)
-.IP CURLOPT_RANDOM_FILE
-Pass a char * to a zero terminated file name. The file will be used to read
-from to seed the random engine for SSL. The more random the specified file is,
-the more secure the SSL connection will become.
-.IP CURLOPT_EGDSOCKET
-Pass a char * to the zero terminated path name to the Entropy Gathering Daemon
-socket. It will be used to seed the random engine for SSL.
.IP CURLOPT_SSL_VERIFYHOST
Pass a long as parameter.
@@ -1988,10 +1976,25 @@ doesn't matter what name it says. (This is not ordinarily a useful setting).
When the value is 0, the connection succeeds regardless of the names in the
certificate.
-The default, since 7.10, is 2.
+The default value for this option is 2.
-This option controls checking the server's claimed identity. The server could
-be lying. To control lying, see \fICURLOPT_SSL_VERIFYPEER\fP.
+This option controls checking the server's certificate's claimed identity.
+The server could be lying. To control lying, see
+\fICURLOPT_SSL_VERIFYPEER\fP.
+.IP CURLOPT_CERTINFO
+Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
+this enabled, libcurl (if built with OpenSSL) will extract lots of information
+and data about the certificates in the certificate chain used in the SSL
+connection. This data is then possible to extract after a transfer using
+\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in
+7.19.1)
+.IP CURLOPT_RANDOM_FILE
+Pass a char * to a zero terminated file name. The file will be used to read
+from to seed the random engine for SSL. The more random the specified file is,
+the more secure the SSL connection will become.
+.IP CURLOPT_EGDSOCKET
+Pass a char * to the zero terminated path name to the Entropy Gathering Daemon
+socket. It will be used to seed the random engine for SSL.
.IP CURLOPT_SSL_CIPHER_LIST
Pass a char *, pointing to a zero terminated string holding the list of
ciphers to use for the SSL connection. The list must be syntactically correct,