manpagez: man pages & more
man CURLINFO_TLS_SSL_PTR(3)
Home | html | info | man
CURLINFO_TLS_SSL_PTR(3)    Library Functions Manual    CURLINFO_TLS_SSL_PTR(3)


NAME

       CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR - get TLS session info


SYNOPSIS

       #include <curl/curl.h>

       CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
                                  struct curl_tlssessioninfo **session);

       /* if you need compatibility with libcurl < 7.48.0 use
          CURLINFO_TLS_SESSION instead: */

       CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
                                  struct curl_tlssessioninfo **session);


DESCRIPTION

       Pass a pointer to a struct curl_tlssessioninfo *. The pointer is
       initialized to refer to a struct curl_tlssessioninfo * that contains an
       enum indicating the SSL library used for the handshake and a pointer to
       the respective internal TLS session structure of this underlying SSL
       library.

       This option may be useful for example to extract certificate
       information in a format convenient for further processing, such as
       manual validation. Refer to the LIMITATIONS section.

       struct curl_tlssessioninfo {
         curl_sslbackend backend;
         void *internals;
       };

       The backend struct member is one of the defines in the CURLSSLBACKEND_*
       series: CURLSSLBACKEND_NONE (when built without TLS support),
       CURLSSLBACKEND_WOLFSSL, CURLSSLBACKEND_SECURETRANSPORT,
       CURLSSLBACKEND_GNUTLS, CURLSSLBACKEND_MBEDTLS, CURLSSLBACKEND_NSS,
       CURLSSLBACKEND_OPENSSL or CURLSSLBACKEND_SCHANNEL. (Note that the
       OpenSSL forks are all reported as just OpenSSL here.)

       The internals struct member points to a TLS library specific pointer
       for the active ("in use") SSL connection, with the following underlying
       types:

       GnuTLS gnutls_session_t

       OpenSSL
              CURLINFO_TLS_SESSION(3): SSL_CTX *

              CURLINFO_TLS_SSL_PTR(3): SSL * Since 7.48.0 the internals member
              can point to these other SSL backends as well:

       mbedTLS
              mbedTLS_ssl_context *

       Secure Channel
              CtxtHandle *

       Secure Transport
              SSLContext *

       wolfSSL
              SSL *

       If the internals pointer is NULL then either the SSL backend is not
       supported, an SSL session has not yet been established or the
       connection is no longer associated with the easy handle (e.g.
       curl_easy_perform(3) has returned).


LIMITATIONS

       This option has some limitations that could make it unsafe when it
       comes to the manual verification of certificates.

       This option only retrieves the first in-use SSL session pointer for
       your easy handle, however your easy handle may have more than one
       in-use SSL session if using FTP over SSL. That is because the FTP
       protocol has a control channel and a data channel and one or both may
       be over SSL. Currently there is no way to retrieve a second in-use SSL
       session associated with an easy handle.

       This option has not been thoroughly tested with clear text protocols
       that can be upgraded/downgraded to/from SSL: FTP, SMTP, POP3, IMAP when
       used with CURLOPT_USE_SSL(3). Though you can to retrieve the SSL
       pointer, it is possible that before you can do that, data (including
       auth) may have already been sent over a connection after it was
       upgraded.

       Renegotiation. If unsafe renegotiation or renegotiation in a way that
       the certificate is allowed to change is allowed by your SSL library
       this may occur and the certificate may change, and data may continue to
       be sent or received after renegotiation but before you are able to get
       the (possibly) changed SSL pointer, with the (possibly) changed
       certificate information.

       Instead of using this option to poll for certificate changes use
       CURLOPT_SSL_CTX_FUNCTION(3) to set a verification callback, if
       supported.  That is safer and does not suffer from any of the problems
       above.

       How are you using this option? Are you affected by any of these
       limitations?  Please let us know by making a comment at
       https://github.com/curl/curl/issues/685


PROTOCOLS

       This functionality affects all TLS based protocols: HTTPS, FTPS, IMAPS,
       POP3S, SMTPS etc.

       This option works only with the following TLS backends: BearSSL,
       GnuTLS, OpenSSL, Schannel, Secure Transport, mbedTLS and wolfSSL


EXAMPLE

       #include <curl/curl.h>
       #include <openssl/ssl.h>

       CURL *curl;
       static size_t wf(void *ptr, size_t size, size_t nmemb, void *stream)
       {
         const struct curl_tlssessioninfo *info = NULL;
         CURLcode res = curl_easy_getinfo(curl, CURLINFO_TLS_SSL_PTR, &info);
         if(info && !res) {
           if(CURLSSLBACKEND_OPENSSL == info->backend) {
             printf("OpenSSL ver. %s\n", SSL_get_version((SSL*)info->internals));
           }
         }
         return size * nmemb;
       }

       int main(int argc, char **argv)
       {
         CURLcode res;
         curl = curl_easy_init();
         if(curl) {
           curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
           curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, wf);
           res = curl_easy_perform(curl);
           curl_easy_cleanup(curl);
         }
         return res;
       }


HISTORY

       This option supersedes CURLINFO_TLS_SESSION(3) which was added in
       7.34.0.  This option is exactly the same as that option except in the
       case of OpenSSL.


AVAILABILITY

       Added in curl 7.48.0


RETURN VALUE

       Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION
       if not.


SEE ALSO

       CURLINFO_TLS_SESSION(3), curl_easy_getinfo(3), curl_easy_setopt(3)

libcurl                           2024-08-05           CURLINFO_TLS_SSL_PTR(3)

curl 8.9.1 - Generated Wed Aug 7 15:04:27 CDT 2024
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.