bionic (3) CURLINFO_TLS_SSL_PTR.3.gz

Provided by: libcurl4-doc_7.58.0-2ubuntu3.24_all bug

NAME
       CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR - get TLS session info


SYNOPSIS
       #include <curl/curl.h>

       CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
                                  struct curl_tlssessioninfo **session);

       /* if you need compatibility with libcurl < 7.48.0 use
          CURLINFO_TLS_SESSION instead: */

       CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
                                  struct curl_tlssessioninfo **session);


DESCRIPTION
       Pass  a  pointer  to  a  'struct  curl_tlssessioninfo  *'.  The pointer will be initialized to refer to a
       'struct curl_tlssessioninfo *' that will contain  an  enum  indicating  the  SSL  library  used  for  the
       handshake and a pointer to the respective internal TLS session structure of this underlying SSL library.

       This  option  may  be  useful  for  example to extract certificate information in a format convenient for
       further processing, such as manual validation. Refer to the LIMITATIONS section.

       struct curl_tlssessioninfo {
         curl_sslbackend backend;
         void *internals;
       };

       The backend struct member is one of the defines in the CURLSSLBACKEND_* series: CURLSSLBACKEND_NONE (when
       built   without  TLS  support),  CURLSSLBACKEND_AXTLS,  CURLSSLBACKEND_CYASSL,  CURLSSLBACKEND_DARWINSSL,
       CURLSSLBACKEND_GNUTLS,      CURLSSLBACKEND_GSKIT,       CURLSSLBACKEND_MBEDTLS,       CURLSSLBACKEND_NSS,
       CURLSSLBACKEND_OPENSSL,  CURLSSLBACKEND_POLARSSL or CURLSSLBACKEND_SCHANNEL. (Note that the OpenSSL forks
       are all reported as just OpenSSL here.)

       The internals struct member will point to a TLS library specific pointer for the active  ("in  use")  SSL
       connection, with the following underlying types:

              GnuTLS gnutls_session_t

              gskit  gsk_handle

              NSS    PRFileDesc *

              OpenSSL
                     CURLINFO_TLS_SESSION: SSL_CTX *

                     CURLINFO_TLS_SSL_PTR: SSL *
       Since 7.48.0 the internals member can point to these other SSL backends as well:

              axTLS  SSL *

              mbedTLS
                     mbedtls_ssl_context *

              PolarSSL
                     ssl_context *

              Secure Channel (WinSSL)
                     CtxtHandle *

              Secure Transport (DarwinSSL)
                     SSLContext *

              WolfSSL (formerly CyaSSL)
                     SSL *

       If the internals pointer is NULL then either the SSL backend is not supported, an SSL session has not yet
       been established or the connection is no longer associated with the easy handle (eg curl_easy_perform has
       returned).


LIMITATIONS
       This  option  has  some limitations that could make it unsafe when it comes to the manual verification of
       certificates.

       This option only retrieves the first in-use SSL session pointer for your easy handle, however  your  easy
       handle  may have more than one in-use SSL session if using FTP over SSL. That is because the FTP protocol
       has a control channel and a data channel and one or both may be over SSL. Currently there is  no  way  to
       retrieve a second in-use SSL session associated with an easy handle.

       This  option  has  not  been  thoroughly  tested with plaintext protocols that can be upgraded/downgraded
       to/from SSL: FTP, SMTP, POP3, IMAP when used with CURLOPT_USE_SSL(3). Though you will be able to retrieve
       the  SSL  pointer,  it's possible that before you can do that data (including auth) may have already been
       sent over a connection after it was upgraded.

       Renegotiation. If unsafe renegotiation or renegotiation in a way  that  the  certificate  is  allowed  to
       change  is  allowed  by  your  SSL  library  this  may occur and the certificate may change, and data may
       continue to be sent or received after renegotiation but before you are able to get the (possibly) changed
       SSL pointer, with the (possibly) changed certificate information.

       If  you  are  using  OpenSSL or wolfSSL then CURLOPT_SSL_CTX_FUNCTION(3) can be used to set a certificate
       verification callback in the CTX. That is safer than using this option to poll  for  certificate  changes
       and  doesn't  suffer  from  any  of  the  problems  above.  There is currently no way in libcurl to set a
       verification callback for the other SSL backends.

       How are you using this option? Are you affected by any of these  limitations?   Please  let  us  know  by
       making a comment at https://github.com/curl/curl/issues/685


PROTOCOLS
       All TLS-based


EXAMPLE
       CURL *curl = curl_easy_init();
       if(curl) {
         CURLcode res;
         struct curl_tlssessioninfo *tls;
         curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
         res = curl_easy_perform(curl);
         curl_easy_getinfo(curl, CURLINFO_TLS_SSL_PTR, &tls);
         curl_easy_cleanup(curl);
       }


AVAILABILITY
       Added in 7.48.0.

       This  option  supersedes  CURLINFO_TLS_SESSION(3)  which was added in 7.34.0.  This option is exactly the
       same as that option except in the case of OpenSSL.


RETURN VALUE
       Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.


SEE ALSO
       curl_easy_getinfo(3), curl_easy_setopt(3), CURLINFO_TLS_SESSION(3),