xref: /curl/docs/libcurl/opts/CURLOPT_CRLFILE.md (revision c4ab3337) 
1---
2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3SPDX-License-Identifier: curl
4Title: CURLOPT_CRLFILE
5Section: 3
6Source: libcurl
7See-also:
8  - CURLOPT_PROXY_CRLFILE (3)
9  - CURLOPT_SSL_VERIFYHOST (3)
10  - CURLOPT_SSL_VERIFYPEER (3)
11Protocol:
12  - TLS
13TLS-backend:
14  - GnuTLS
15  - mbedTLS
16  - OpenSSL
17  - rustls
18Added-in: 7.19.0
19---
20
21# NAME
22
23CURLOPT_CRLFILE - Certificate Revocation List file
24
25# SYNOPSIS
26
27~~~c
28#include <curl/curl.h>
29
30CURLcode curl_easy_setopt(CURL *handle, CURLOPT_CRLFILE, char *file);
31~~~
32
33# DESCRIPTION
34
35Pass a char pointer to a null-terminated string naming a *file* with the
36concatenation of CRL (in PEM format) to use in the certificate validation that
37occurs during the SSL exchange.
38
39When curl is built to use GnuTLS, there is no way to influence the use of CRL
40passed to help in the verification process.
41
42When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
43X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
44elements of the certificate chain if a CRL file is passed. Also note that
45CURLOPT_CRLFILE(3) implies **CURLSSLOPT_NO_PARTIALCHAIN** (see
46CURLOPT_SSL_OPTIONS(3)) since curl 7.71.0 due to an OpenSSL bug.
47
48This option makes sense only when used in combination with the
49CURLOPT_SSL_VERIFYPEER(3) option.
50
51A specific error code (*CURLE_SSL_CRL_BADFILE*) is defined with the option. It
52is returned when the SSL exchange fails because the CRL file cannot be loaded.
53A failure in certificate verification due to a revocation information found in
54the CRL does not trigger this specific error.
55
56The application does not have to keep the string around after setting this
57option.
58
59Using this option multiple times makes the last set string override the
60previous ones. Set it to NULL to disable its use again.
61
62# DEFAULT
63
64NULL
65
66# %PROTOCOLS%
67
68# EXAMPLE
69
70~~~c
71int main(void)
72{
73  CURL *curl = curl_easy_init();
74  if(curl) {
75    CURLcode res;
76    curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
77    curl_easy_setopt(curl, CURLOPT_CRLFILE, "/etc/certs/crl.pem");
78    res = curl_easy_perform(curl);
79    curl_easy_cleanup(curl);
80  }
81}
82~~~
83
84# %AVAILABILITY%
85
86# RETURN VALUE
87
88Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
89CURLE_OUT_OF_MEMORY if there was insufficient heap space.
90