xref: /curl/docs/libcurl/opts/CURLOPT_CRLFILE.md (revision e3fe0200) 
1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_CRLFILE
5Section: 3
6Source: libcurl
7See-also:
8  - CURLOPT_PROXY_CRLFILE (3)
9  - CURLOPT_SSL_VERIFYHOST (3)
10  - CURLOPT_SSL_VERIFYPEER (3)
11Protocol:
12  - TLS
13TLS-backend:
14  - GnuTLS
15  - mbedTLS
16  - OpenSSL
17---
18
19# NAME
20
21CURLOPT_CRLFILE - Certificate Revocation List file
22
23# SYNOPSIS
24
25~~~c
26#include <curl/curl.h>
27
28CURLcode curl_easy_setopt(CURL *handle, CURLOPT_CRLFILE, char *file);
29~~~
30
31# DESCRIPTION
32
33Pass a char pointer to a null-terminated string naming a *file* with the
34concatenation of CRL (in PEM format) to use in the certificate validation that
35occurs during the SSL exchange.
36
37When curl is built to use GnuTLS, there is no way to influence the use of CRL
38passed to help in the verification process.
39
40When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
41X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
42elements of the certificate chain if a CRL file is passed. Also note that
43CURLOPT_CRLFILE(3) implies **CURLSSLOPT_NO_PARTIALCHAIN** (see
44CURLOPT_SSL_OPTIONS(3)) since curl 7.71.0 due to an OpenSSL bug.
45
46This option makes sense only when used in combination with the
47CURLOPT_SSL_VERIFYPEER(3) option.
48
49A specific error code (*CURLE_SSL_CRL_BADFILE*) is defined with the option. It
50is returned when the SSL exchange fails because the CRL file cannot be
51loaded. A failure in certificate verification due to a revocation information
52found in the CRL does not trigger this specific error.
53
54The application does not have to keep the string around after setting this
55option.
56
57# DEFAULT
58
59NULL
60
61# EXAMPLE
62
63~~~c
64int main(void)
65{
66  CURL *curl = curl_easy_init();
67  if(curl) {
68    CURLcode res;
69    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
70    curl_easy_setopt(curl, CURLOPT_CRLFILE, "/etc/certs/crl.pem");
71    res = curl_easy_perform(curl);
72    curl_easy_cleanup(curl);
73  }
74}
75~~~
76
77# AVAILABILITY
78
79Added in 7.19.0
80
81# RETURN VALUE
82
83Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
84CURLE_OUT_OF_MEMORY if there was insufficient heap space.
85