diff options
-rw-r--r-- | docs/curl.1 | 10 | ||||
-rw-r--r-- | src/tool_cfgable.h | 1 | ||||
-rw-r--r-- | src/tool_getparam.c | 5 | ||||
-rw-r--r-- | src/tool_operate.c | 3 |
4 files changed, 19 insertions, 0 deletions
diff --git a/docs/curl.1 b/docs/curl.1 index 0b9971cd2..40cfbedff 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -552,6 +552,16 @@ This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends. If this option is used several times, the last one will be used. (Added in 7.39.0) +.IP "--cert-status" +(SSL) Tells curl to verify the status of the server certificate by using the +Certificate Status Request (aka. OCSP stapling) TLS extension. + +If this option is enabled and the server sends an invalid (e.g. expired) +response, if the response suggests that the server certificate has been revoked, +or no response at all is received, the verification fails. + +This is currently only implemented in the GnuTLS and NSS backends. +(Added in 7.41.0) .IP "-f, --fail" (HTTP) Fail silently (no output at all) on server errors. This is mostly done to better enable scripts etc to better deal with failed attempts. In normal diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index cf8d563b0..4008cd0c2 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -126,6 +126,7 @@ struct OperationConfig { bool globoff; bool use_httpget; bool insecure_ok; /* set TRUE to allow insecure SSL connects */ + bool verifystatus; bool create_dirs; bool ftp_create_dirs; bool ftp_skip_ip; diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 3932ccbf5..ee198c36c 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -217,6 +217,7 @@ static const struct LongShort aliases[]= { {"En", "ssl-allow-beast", FALSE}, {"Eo", "login-options", TRUE}, {"Ep", "pinnedpubkey", TRUE}, + {"Eq", "cert-status", FALSE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs", "form-string", TRUE}, @@ -1363,6 +1364,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ GetStr(&config->pinnedpubkey, nextarg); break; + case 'q': /* --cert-status */ + config->verifystatus = TRUE; + break; + default: /* certificate file */ { char *certname, *passphrase; diff --git a/src/tool_operate.c b/src/tool_operate.c index a21bbcaf4..04fd59b88 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1038,6 +1038,9 @@ static CURLcode operate_do(struct GlobalConfig *global, /* libcurl default is strict verifyhost -> 2L */ /* my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); */ } + + if(config->verifystatus) + my_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L); } if(built_in_protos & (CURLPROTO_SCP|CURLPROTO_SFTP)) { |