1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_PROXY_ISSUERCERT 5Section: 3 6Source: libcurl 7See-also: 8 - CURLOPT_ISSUERCERT (3) 9 - CURLOPT_PROXY_SSL_VERIFYHOST (3) 10 - CURLOPT_PROXY_SSL_VERIFYPEER (3) 11 - CURLOPT_SSL_VERIFYHOST (3) 12 - CURLOPT_SSL_VERIFYPEER (3) 13Protocol: 14 - TLS 15TLS-backend: 16 - OpenSSL 17 - GnuTLS 18--- 19 20# NAME 21 22CURLOPT_PROXY_ISSUERCERT - proxy issuer SSL certificate filename 23 24# SYNOPSIS 25 26~~~c 27#include <curl/curl.h> 28 29CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_ISSUERCERT, char *file); 30~~~ 31 32# DESCRIPTION 33 34Pass a char pointer to a null-terminated string naming a *file* holding a CA 35certificate in PEM format. If the option is set, an additional check against 36the peer certificate is performed to verify the issuer of the HTTPS proxy is 37indeed the one associated with the certificate provided by the option. This 38additional check is useful in multi-level PKI where one needs to enforce that 39the peer certificate is from a specific branch of the tree. 40 41This option makes sense only when used in combination with the 42CURLOPT_PROXY_SSL_VERIFYPEER(3) option. Otherwise, the result of the 43check is not considered as failure. 44 45A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option, 46which is returned if the setup of the SSL/TLS session has failed due to a 47mismatch with the issuer of peer certificate 48(CURLOPT_PROXY_SSL_VERIFYPEER(3) has to be set too for the check to 49fail). 50 51The application does not have to keep the string around after setting this 52option. 53 54# DEFAULT 55 56NULL 57 58# EXAMPLE 59 60~~~c 61int main(void) 62{ 63 CURL *curl = curl_easy_init(); 64 if(curl) { 65 CURLcode res; 66 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/"); 67 /* using an HTTPS proxy */ 68 curl_easy_setopt(curl, CURLOPT_PROXY, "https://localhost:443"); 69 curl_easy_setopt(curl, CURLOPT_PROXY_ISSUERCERT, "/etc/certs/cacert.pem"); 70 res = curl_easy_perform(curl); 71 curl_easy_cleanup(curl); 72 } 73} 74~~~ 75 76# AVAILABILITY 77 78Added in 7.71.0. This option is supported by the OpenSSL and GnuTLS backends. 79 80# RETURN VALUE 81 82Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or 83CURLE_OUT_OF_MEMORY if there was insufficient heap space. 84