aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/curl.110
-rw-r--r--src/tool_cfgable.h1
-rw-r--r--src/tool_getparam.c5
-rw-r--r--src/tool_operate.c3
4 files changed, 19 insertions, 0 deletions
diff --git a/docs/curl.1 b/docs/curl.1
index 0b9971cd2..40cfbedff 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -552,6 +552,16 @@ This is currently only implemented in the OpenSSL, GnuTLS and GSKit backends.
If this option is used several times, the last one will be used.
(Added in 7.39.0)
+.IP "--cert-status"
+(SSL) Tells curl to verify the status of the server certificate by using the
+Certificate Status Request (aka. OCSP stapling) TLS extension.
+
+If this option is enabled and the server sends an invalid (e.g. expired)
+response, if the response suggests that the server certificate has been revoked,
+or no response at all is received, the verification fails.
+
+This is currently only implemented in the GnuTLS and NSS backends.
+(Added in 7.41.0)
.IP "-f, --fail"
(HTTP) Fail silently (no output at all) on server errors. This is mostly done
to better enable scripts etc to better deal with failed attempts. In normal
diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index cf8d563b0..4008cd0c2 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -126,6 +126,7 @@ struct OperationConfig {
bool globoff;
bool use_httpget;
bool insecure_ok; /* set TRUE to allow insecure SSL connects */
+ bool verifystatus;
bool create_dirs;
bool ftp_create_dirs;
bool ftp_skip_ip;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 3932ccbf5..ee198c36c 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -217,6 +217,7 @@ static const struct LongShort aliases[]= {
{"En", "ssl-allow-beast", FALSE},
{"Eo", "login-options", TRUE},
{"Ep", "pinnedpubkey", TRUE},
+ {"Eq", "cert-status", FALSE},
{"f", "fail", FALSE},
{"F", "form", TRUE},
{"Fs", "form-string", TRUE},
@@ -1363,6 +1364,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
GetStr(&config->pinnedpubkey, nextarg);
break;
+ case 'q': /* --cert-status */
+ config->verifystatus = TRUE;
+ break;
+
default: /* certificate file */
{
char *certname, *passphrase;
diff --git a/src/tool_operate.c b/src/tool_operate.c
index a21bbcaf4..04fd59b88 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1038,6 +1038,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
/* libcurl default is strict verifyhost -> 2L */
/* my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); */
}
+
+ if(config->verifystatus)
+ my_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
}
if(built_in_protos & (CURLPROTO_SCP|CURLPROTO_SFTP)) {