1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_PROXY_ISSUERCERT
5Section: 3
6Source: libcurl
7See-also:
8  - CURLOPT_ISSUERCERT (3)
9  - CURLOPT_PROXY_SSL_VERIFYHOST (3)
10  - CURLOPT_PROXY_SSL_VERIFYPEER (3)
11  - CURLOPT_SSL_VERIFYHOST (3)
12  - CURLOPT_SSL_VERIFYPEER (3)
13Protocol:
14  - TLS
15TLS-backend:
16  - OpenSSL
17  - GnuTLS
18---
19
20# NAME
21
22CURLOPT_PROXY_ISSUERCERT - proxy issuer SSL certificate filename
23
24# SYNOPSIS
25
26~~~c
27#include <curl/curl.h>
28
29CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_ISSUERCERT, char *file);
30~~~
31
32# DESCRIPTION
33
34Pass a char pointer to a null-terminated string naming a *file* holding a CA
35certificate in PEM format. If the option is set, an additional check against
36the peer certificate is performed to verify the issuer of the HTTPS proxy is
37indeed the one associated with the certificate provided by the option. This
38additional check is useful in multi-level PKI where one needs to enforce that
39the peer certificate is from a specific branch of the tree.
40
41This option makes sense only when used in combination with the
42CURLOPT_PROXY_SSL_VERIFYPEER(3) option. Otherwise, the result of the
43check is not considered as failure.
44
45A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option,
46which is returned if the setup of the SSL/TLS session has failed due to a
47mismatch with the issuer of peer certificate
48(CURLOPT_PROXY_SSL_VERIFYPEER(3) has to be set too for the check to
49fail).
50
51The application does not have to keep the string around after setting this
52option.
53
54# DEFAULT
55
56NULL
57
58# EXAMPLE
59
60~~~c
61int main(void)
62{
63  CURL *curl = curl_easy_init();
64  if(curl) {
65    CURLcode res;
66    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
67    /* using an HTTPS proxy */
68    curl_easy_setopt(curl, CURLOPT_PROXY, "https://localhost:443");
69    curl_easy_setopt(curl, CURLOPT_PROXY_ISSUERCERT, "/etc/certs/cacert.pem");
70    res = curl_easy_perform(curl);
71    curl_easy_cleanup(curl);
72  }
73}
74~~~
75
76# AVAILABILITY
77
78Added in 7.71.0. This option is supported by the OpenSSL and GnuTLS backends.
79
80# RETURN VALUE
81
82Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
83CURLE_OUT_OF_MEMORY if there was insufficient heap space.
84