From 172b2beba6b89b632c09be7a88645e3a0607cfe9 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 17 Jul 2015 02:40:16 -0400
Subject: SSL: Add an option to disable certificate revocation checks

New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
---
 docs/SSL-PROBLEMS | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'docs/SSL-PROBLEMS')

diff --git a/docs/SSL-PROBLEMS b/docs/SSL-PROBLEMS
index 5a56d3da5..45faa241c 100644
--- a/docs/SSL-PROBLEMS
+++ b/docs/SSL-PROBLEMS
@@ -71,3 +71,17 @@ Allow BEAST
   introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability
   but on the other hand it allows curl to connect to that kind of strange
   servers.
+
+Disabling certificate revocation checks
+
+  Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)
+  depending on the OS or build configuration. The --ssl-no-revoke option was
+  introduced in 7.44.0 to disable revocation checking but currently is only
+  supported for WinSSL (the native Windows SSL library), with an exception in
+  the case of Windows' Untrusted Publishers blacklist which it seems can't be
+  bypassed. This option may have broader support to accommodate other SSL
+  backends in the future.
+
+  References:
+
+  http://curl.haxx.se/docs/ssl-compared.html
-- 
cgit v1.2.3