From b6a16afa0aa516b3791efe2e5d779fe67f9d3e0d Mon Sep 17 00:00:00 2001 From: Patrick Schlangen Date: Thu, 21 Jun 2018 21:14:40 +0200 Subject: CURLOPT_SSL_VERIFYPEER.3: Add performance note Closes #2673 --- docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 index f7ff1b203..e8ad671f7 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -57,6 +57,15 @@ man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point. + +NOTE: even when this option is disabled, depending on the used TLS backend, +curl may still load the certificate file specified in +\fICURLOPT_CAINFO(3)\fP. curl default settings in some distributions might +use quite a large file as a default setting for \fICURLOPT_CAINFO(3)\fP, +so loading the file can be quite expensive, especially when dealing +with many connections. Thus, in some situations, you might want to disable +verification fully to save resources by setting \fICURLOPT_CAINFO(3)\f to +NULL - but please also consider the warning above! .SH DEFAULT By default, curl assumes a value of 1. .SH PROTOCOLS @@ -81,3 +90,4 @@ Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. .BR CURLOPT_SSL_VERIFYHOST "(3), " .BR CURLOPT_PROXY_SSL_VERIFYPEER "(3), " .BR CURLOPT_PROXY_SSL_VERIFYHOST "(3), " +.BR CURLOPT_CAINFO "(3), " -- cgit v1.2.3