From fc77790bcd451f32a0f60a5e4073b2be54fb40e9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 18 Jan 2011 13:53:43 +0100 Subject: nss: fix a bug in handling of CURLOPT_CAPATH ... and update the curl.1 and curl_easy_setopt.3 man pages such that they do not suggest to use an OpenSSL utility if curl is not built against OpenSSL. Bug: https://bugzilla.redhat.com/669702 --- docs/curl.1 | 10 +++++----- docs/libcurl/curl_easy_setopt.3 | 16 +++++++++------- 2 files changed, 14 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/curl.1 b/docs/curl.1 index 0ff183245..33b5e0269 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -394,11 +394,11 @@ may be loaded. If this option is used several times, the last one will be used. .IP "--capath " (SSL) Tells curl to use the specified certificate directory to verify the -peer. The certificates must be in PEM format, and the directory must have been -processed using the c_rehash utility supplied with openssl. Using -\fI--capath\fP can allow curl to make SSL-connections much more efficiently -than using \fI--cacert\fP if the \fI--cacert\fP file contains many CA -certificates. +peer. The certificates must be in PEM format, and if curl is built against +OpenSSL, the directory must have been processed using the c_rehash utility +supplied with OpenSSL. Using \fI--capath\fP can allow OpenSSL-powered curl to +make SSL-connections much more efficiently than using \fI--cacert\fP if the +\fI--cacert\fP file contains many CA certificates. If this option is used several times, the last one will be used. .IP "-f/--fail" diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 8c14c7dcc..bd342a125 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -1924,13 +1924,15 @@ mismatch with the issuer of peer certificate (\fICURLOPT_SSL_VERIFYPEER\fP has to be set too for the check to fail). (Added in 7.19.0) .IP CURLOPT_CAPATH Pass a char * to a zero terminated string naming a directory holding multiple -CA certificates to verify the peer with. The certificate directory must be -prepared using the openssl c_rehash utility. This makes sense only when used -in combination with the \fICURLOPT_SSL_VERIFYPEER\fP option. If -\fICURLOPT_SSL_VERIFYPEER\fP is zero, \fICURLOPT_CAPATH\fP need not even -indicate an accessible path. The \fICURLOPT_CAPATH\fP function apparently -does not work in Windows due to some limitation in openssl. This option is -OpenSSL-specific and does nothing if libcurl is built to use GnuTLS. +CA certificates to verify the peer with. If libcurl is built against OpenSSL, +the certificate directory must be prepared using the openssl c_rehash utility. +This makes sense only when used in combination with the +\fICURLOPT_SSL_VERIFYPEER\fP option. If \fICURLOPT_SSL_VERIFYPEER\fP is zero, +\fICURLOPT_CAPATH\fP need not even indicate an accessible path. The +\fICURLOPT_CAPATH\fP function apparently does not work in Windows due to some +limitation in openssl. This option is OpenSSL-specific and does nothing if +libcurl is built to use GnuTLS. NSS-powered libcurl provides the option only +for backward compatibility. .IP CURLOPT_CRLFILE Pass a char * to a zero terminated string naming a file with the concatenation of CRL (in PEM format) to use in the certificate validation that occurs during -- cgit v1.2.3