aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/curl.112
-rw-r--r--docs/libcurl/curl_easy_setopt.316
-rw-r--r--include/curl/curl.h8
-rw-r--r--lib/url.c8
-rw-r--r--src/main.c14
5 files changed, 48 insertions, 10 deletions
diff --git a/docs/curl.1 b/docs/curl.1
index 01b89fb50..10ff68f4a 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -211,7 +211,17 @@ certificate concatenated!
If this option is used several times, the last one will be used.
.IP "--cacert <CA certificate>"
(HTTPS) Tells curl to use the specified certificate file to verify the
-peer. The certificate must be in PEM format.
+peer. The file may contain multiple CA certificates. The certificate(s) must
+be in PEM format.
+
+If this option is used several times, the last one will be used.
+.IP "--capath <CA certificate directory>"
+(HTTPS) Tells curl to use the specified certificate directory to verify the
+peer. The certificates must be in PEM format, and the directory must have been
+processed using the c_rehash utility supplied with openssl. Certificate directories
+are not supported under Windows (because c_rehash uses symbolink links to
+create them). Using --capath can allow curl to make https connections much
+more efficiently than using --cacert if the --cacert file contains many CA certificates.
If this option is used several times, the last one will be used.
.IP "-f/--fail"
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 5635ebdb4..a118a15d6 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -514,12 +514,20 @@ argument in the progress callback set with \fICURLOPT_PROGRESSFUNCTION\fP.
.B CURLOPT_SSL_VERIFYPEER
Pass a long that is set to a non-zero value to make curl verify the peer's
certificate. The certificate to verify against must be specified with the
-CURLOPT_CAINFO option. (Added in 7.4.2)
+CURLOPT_CAINFO option (Added in 7.4.2) or a certificate directory must be specified
+with the CURLOPT_CAPATH option (Added in 7.9.8).
.TP
.B CURLOPT_CAINFO
-Pass a char * to a zero terminated file naming holding the certificate to
-verify the peer with. This only makes sense when used in combination with the
-CURLOPT_SSL_VERIFYPEER option. (Added in 7.4.2)
+Pass a char * to a zero terminated string naming a file holding one or more
+certificates to verify the peer with. This only makes sense when used in
+combination with the CURLOPT_SSL_VERIFYPEER option. (Added in 7.4.2)
+.TP
+.B CURLOPT_CAPATH
+Pass a char * to a zero terminated string naming a directory holding multiple CA
+certificates to verify the peer with. The certificate directory must be prepared using
+the openssl c_rehash utility. This only makes sense when used in combination with the
+CURLOPT_SSL_VERIFYPEER option. The CAPATH function apparently does not work in Windows
+due to some limitation in openssl. (Added in 7.9.8)
.TP
.B CURLOPT_PASSWDFUNCTION
Pass a pointer to a \fIcurl_passwd_callback\fP function that will be called
diff --git a/include/curl/curl.h b/include/curl/curl.h
index ea975c68b..23065c70f 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -544,6 +544,10 @@ typedef enum {
/* mark this as start of a cookie session */
CINIT(COOKIESESSION, LONG, 96),
+
+ /* The CApath directory used to validate the peer certificate
+ this option is used only if SSL_VERIFYPEER is true */
+ CINIT(CAPATH, OBJECTPOINT, 97),
CURLOPT_LASTENTRY /* the last unusued */
} CURLoption;
@@ -728,8 +732,8 @@ CURLcode curl_global_init(long flags);
void curl_global_cleanup(void);
/* This is the version number */
-#define LIBCURL_VERSION "7.9.7"
-#define LIBCURL_VERSION_NUM 0x070907
+#define LIBCURL_VERSION "7.9.8-pre1"
+#define LIBCURL_VERSION_NUM 0x070908
/* linked-list structure for the CURLOPT_QUOTE option (and other) */
struct curl_slist {
diff --git a/lib/url.c b/lib/url.c
index 62e727e93..d008ba459 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -981,7 +981,13 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
* Set CA info for SSL connection. Specify file name of the CA certificate
*/
data->set.ssl.CAfile = va_arg(param, char *);
- data->set.ssl.CApath = NULL; /*This does not work on windows.*/
+ break;
+ case CURLOPT_CAPATH:
+ /*
+ * Set CA path info for SSL connection. Specify directory name of the CA certificates
+ * which have been prepared using openssl c_rehash utility.
+ */
+ data->set.ssl.CApath = va_arg(param, char *); /*This does not work on windows.*/
break;
case CURLOPT_TELNETOPTIONS:
/*
diff --git a/src/main.c b/src/main.c
index 606b9e341..9254e941b 100644
--- a/src/main.c
+++ b/src/main.c
@@ -345,6 +345,7 @@ static void help(void)
" --pass <pass> Specifies your passphrase for the private key (HTTPS)");
puts(" --engine <eng> Specifies the crypto engine to use (HTTPS)\n"
" --cacert <file> CA certifciate to verify peer against (SSL)\n"
+ " --capath <directory> CA directory (made using c_rehash) to verify peer against (SSL, NOT Windows)\n"
" --ciphers <list> What SSL ciphers to use (SSL)\n"
" --connect-timeout <seconds> Maximum time allowed for connection\n"
" -f/--fail Fail silently (no output at all) on errors (H)\n"
@@ -454,6 +455,7 @@ struct Configurable {
char *cert;
char *cert_type;
char *cacert;
+ char *capath;
char *key;
char *key_type;
char *key_passwd;
@@ -999,6 +1001,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
{"Ed","key-type", TRUE},
{"Ee","pass", TRUE},
{"Ef","engine", TRUE},
+ {"Eg","capath ", TRUE},
{"f", "fail", FALSE},
{"F", "form", TRUE},
{"g", "globoff", FALSE},
@@ -1335,6 +1338,10 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
case 'f': /* crypto engine */
GetStr(&config->engine, nextarg);
break;
+ case 'g': /* CA info PEM file */
+ /* CA cert directory */
+ GetStr(&config->capath, nextarg);
+ break;
default: /* certificate file */
{
char *ptr = strchr(nextarg, ':');
@@ -2082,6 +2089,8 @@ void free_config_fields(struct Configurable *config)
curl_formfree(config->httppost);
if(config->cacert)
free(config->cacert);
+ if(config->capath)
+ free(config->capath);
if(config->cookiejar)
free(config->cookiejar);
@@ -2558,8 +2567,9 @@ operate(struct Configurable *config, int argc, char *argv[])
curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, config->key_type);
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, config->key_passwd);
- if(config->cacert) {
- curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+ if(config->cacert || config->capath) {
+ if (config->cacert) curl_easy_setopt(curl, CURLOPT_CAINFO, config->cacert);
+ if (config->capath) curl_easy_setopt(curl, CURLOPT_CAPATH, config->capath);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
}