1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_SSL_VERIFYPEER
5Section: 3
6Source: libcurl
7See-also:
8  - CURLINFO_CAINFO (3)
9  - CURLINFO_CAPATH (3)
10  - CURLOPT_CAINFO (3)
11  - CURLOPT_PROXY_SSL_VERIFYHOST (3)
12  - CURLOPT_PROXY_SSL_VERIFYPEER (3)
13  - CURLOPT_SSL_VERIFYHOST (3)
14Protocol:
15  - TLS
16TLS-backend:
17  - All
18Added-in: 7.4.2
19---
20
21# NAME
22
23CURLOPT_SSL_VERIFYPEER - verify the peer's SSL certificate
24
25# SYNOPSIS
26
27~~~c
28#include <curl/curl.h>
29
30CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_VERIFYPEER, long verify);
31~~~
32
33# DESCRIPTION
34
35Pass a long as parameter to enable or disable.
36
37This option determines whether curl verifies the authenticity of the peer's
38certificate. A value of 1 means curl verifies; 0 (zero) means it does not.
39
40When negotiating a TLS or SSL connection, the server sends a certificate
41indicating its identity. Curl verifies whether the certificate is authentic,
42i.e. that you can trust that the server is who the certificate says it is.
43This trust is based on a chain of digital signatures, rooted in certification
44authority (CA) certificates you supply. curl uses a default bundle of CA
45certificates (the path for that is determined at build time) and you can
46specify alternate certificates with the CURLOPT_CAINFO(3) option or the
47CURLOPT_CAPATH(3) option.
48
49When CURLOPT_SSL_VERIFYPEER(3) is enabled, and the verification fails to
50prove that the certificate is signed by a CA, the connection fails.
51
52When this option is disabled (set to zero), the CA certificates are not loaded
53and the peer certificate verification is simply skipped.
54
55Authenticating the certificate is not enough to be sure about the server. You
56typically also want to ensure that the server is the server you mean to be
57talking to. Use CURLOPT_SSL_VERIFYHOST(3) for that. The check that the host
58name in the certificate is valid for the hostname you are connecting to is
59done independently of the CURLOPT_SSL_VERIFYPEER(3) option.
60
61WARNING: disabling verification of the certificate allows bad guys to
62man-in-the-middle the communication without you knowing it. Disabling
63verification makes the communication insecure. Just having encryption on a
64transfer is not enough as you cannot be sure that you are communicating with
65the correct end-point.
66
67When libcurl uses secure protocols it trusts responses and allows for example
68HSTS and Alt-Svc information to be stored and used subsequently. Disabling
69certificate verification can make libcurl trust and use such information from
70malicious servers.
71
72# DEFAULT
73
741 - enabled
75
76# %PROTOCOLS%
77
78# EXAMPLE
79
80~~~c
81int main(void)
82{
83  CURL *curl = curl_easy_init();
84  if(curl) {
85    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
86
87    /* Set the default value: strict certificate check please */
88    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
89
90    curl_easy_perform(curl);
91  }
92}
93~~~
94
95# %AVAILABILITY%
96
97# RETURN VALUE
98
99Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
100