1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_PROXY_ISSUERCERT 5Section: 3 6Source: libcurl 7See-also: 8 - CURLOPT_ISSUERCERT (3) 9 - CURLOPT_PROXY_SSL_VERIFYHOST (3) 10 - CURLOPT_PROXY_SSL_VERIFYPEER (3) 11 - CURLOPT_SSL_VERIFYHOST (3) 12 - CURLOPT_SSL_VERIFYPEER (3) 13Protocol: 14 - TLS 15TLS-backend: 16 - OpenSSL 17 - GnuTLS 18Added-in: 7.71.0 19--- 20 21# NAME 22 23CURLOPT_PROXY_ISSUERCERT - proxy issuer SSL certificate filename 24 25# SYNOPSIS 26 27~~~c 28#include <curl/curl.h> 29 30CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_ISSUERCERT, char *file); 31~~~ 32 33# DESCRIPTION 34 35Pass a char pointer to a null-terminated string naming a *file* holding a CA 36certificate in PEM format. If the option is set, an additional check against 37the peer certificate is performed to verify the issuer of the HTTPS proxy is 38indeed the one associated with the certificate provided by the option. This 39additional check is useful in multi-level PKI where one needs to enforce that 40the peer certificate is from a specific branch of the tree. 41 42This option makes sense only when used in combination with the 43CURLOPT_PROXY_SSL_VERIFYPEER(3) option. Otherwise, the result of the check is 44not considered as failure. 45 46A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, 47which is returned if the setup of the SSL/TLS session has failed due to a 48mismatch with the issuer of peer certificate (CURLOPT_PROXY_SSL_VERIFYPEER(3) 49has to be set too for the check to fail). 50 51The application does not have to keep the string around after setting this 52option. 53 54Using this option multiple times makes the last set string override the 55previous ones. Set it to NULL to disable its use again. 56 57# DEFAULT 58 59NULL 60 61# %PROTOCOLS% 62 63# EXAMPLE 64 65~~~c 66int main(void) 67{ 68 CURL *curl = curl_easy_init(); 69 if(curl) { 70 CURLcode res; 71 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); 72 /* using an HTTPS proxy */ 73 curl_easy_setopt(curl, CURLOPT_PROXY, "https://localhost:443"); 74 curl_easy_setopt(curl, CURLOPT_PROXY_ISSUERCERT, "/etc/certs/cacert.pem"); 75 res = curl_easy_perform(curl); 76 curl_easy_cleanup(curl); 77 } 78} 79~~~ 80 81# %AVAILABILITY% 82 83# RETURN VALUE 84 85Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or 86CURLE_OUT_OF_MEMORY if there was insufficient heap space. 87
