- Introducing CURLOPT_CERTINFO and the corresponding CURLINFO_CERTINFO. By

  enabling this feature with CURLOPT_CERTINFO for a request using SSL (HTTPS
  or FTPS), libcurl will gather lots of server certificate info and that info
  can then get extracted by a client after the request has completed with
  curl_easy_getinfo()'s CURLINFO_CERTINFO option. Linus Nielsen Feltzing
  helped me test and smoothen out this feature.

  Unfortunately, this feature currently only works with libcurl built to use
  OpenSSL.

  This feature was sponsored by networking4all.com - thanks!

3 files changed, 70 insertions, 2 deletions

diff --git a/docs/examples/Makefile.inc b/docs/examples/Makefile.inc
index 68b66c3e3..c3ee0228b 100644
--- a/docs/examples/Makefile.inc
+++ b/docs/examples/Makefile.inc
@@ -5,7 +5,7 @@ check_PROGRAMS = 10-at-a-time anyauthput cookie_interface \
   https multi-app multi-debugcallback multi-double \
   multi-post multi-single persistant post-callback \
   postit2 sepheaders simple simplepost simplessl \
-  sendrecv httpcustomheader
+  sendrecv httpcustomheader certinfo
 
 # These examples require external dependencies that may not be commonly
 # available on POSIX systems, so don't bother attempting to compile them here.
@@ -14,4 +14,3 @@ COMPLICATED_EXAMPLES = \
  ghiper.c hiperfifo.c htmltidy.c multithread.c \
  opensslthreadlock.c sampleconv.c synctime.c threaded-ssl.c
 
-
diff --git a/docs/examples/certinfo.c b/docs/examples/certinfo.c
new file mode 100644
index 000000000..b0e9759f4
--- /dev/null
+++ b/docs/examples/certinfo.c
@@ -0,0 +1,62 @@
+/*****************************************************************************
+ */
+
+#include <stdio.h>
+
+#include <curl/curl.h>
+#include <curl/types.h>
+#include <curl/easy.h>
+
+static size_t wrfu(void *ptr,  size_t  size,  size_t  nmemb,  void *stream)
+{
+  return size * nmemb;
+}
+int main(int argc, char **argv)
+{
+  CURL *curl;
+  CURLcode res;
+
+  curl_global_init(CURL_GLOBAL_DEFAULT);
+
+  curl = curl_easy_init();
+  if(curl) {
+    curl_easy_setopt(curl, CURLOPT_URL, "https://www.networking4all.com/");
+
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, wrfu);
+
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+
+    curl_easy_setopt(curl, CURLOPT_VERBOSE, 0L);
+    curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
+
+    res = curl_easy_perform(curl);
+
+    if(!res) {
+      struct curl_certinfo *ci = NULL;
+
+      res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &ci);
+
+      if(!res && ci) {
+        int i;
+        printf("%d certs!\n", ci->num_of_certs);
+
+        for(i=0; i<ci->num_of_certs; i++) {
+          struct curl_slist *slist;
+
+          for(slist = ci->certinfo[i]; slist; slist = slist->next)
+            printf("%s\n", slist->data);
+
+        }
+      }
+
+    }
+
+
+    curl_easy_cleanup(curl);
+  }
+
+  curl_global_cleanup();
+
+  return 0;
+}
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 6059e38bf..e07776ccf 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -1496,6 +1496,13 @@ A specific error code (CURLE_SSL_CRL_BADFILE) is defined with the option. It
 is returned when the SSL exchange fails because the CRL file cannot be loaded.
 Note that a failure in certificate verification due to a revocation information
 found in the CRL does not trigger this specific error. (Added in 7.19.0)
+.IP CURLOPT_CERTINFO
+Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
+this enabled, libcurl (if built with OpenSSL) will extract lots of information
+and data about the certificate's in the certificate chain used in the SSL
+connection. This data is then possible to extract after a transfer using
+\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in
+7.19.0)
 .IP CURLOPT_RANDOM_FILE
 Pass a char * to a zero terminated file name. The file will be used to read
 from to seed the random engine for SSL. The more random the specified file is,