search

pre-srfi / tls-client

Make binary ports that talk to TLS/SSL servers
1 stars 0 forks source link

Relevant curl options #2

Open lassik opened 3 years ago

lassik commented 3 years ago 
--cacert <CA certificate>
       (TLS) Tells curl to use the specified certificate file to  ver-
       ify  the  peer.  The file may contain multiple CA certificates.
       The certificate(s) must be in  PEM  format.  Normally  curl  is
       built  to  use a default file for this, so this option is typi-
       cally used to alter that default file.

       curl recognizes the environment variable named 'CURL_CA_BUNDLE'
       if  it  is  set, and uses the given path as a path to a CA cert
       bundle. This option overrides that variable.

       The windows version of curl will automatically look  for  a  CA
       certs  file  named  'curl-ca-bundle.crt',  either  in  the same
       directory as curl.exe, or in the Current Working Directory,  or
       in any folder along your PATH.

       If  curl  is  built  against  the  NSS SSL library, the NSS PEM
       PKCS#11 module (libnsspem.so) needs to be  available  for  this
       option to work properly.
--capath <dir>
       (TLS)  Tells curl to use the specified certificate directory to
       verify the peer. Multiple paths can be provided  by  separating
       them  with  ":"  (e.g.   "path1:path2:path3"). The certificates
       must be in PEM format, and if curl is  built  against  OpenSSL,
       the directory must have been processed using the c_rehash util-
       ity supplied with OpenSSL. Using --capath  can  allow  OpenSSL-
       powered curl to make SSL-connections much more efficiently than
       using --cacert if the --cacert file contains many  CA  certifi-
       cates.

       If  this  option  is  set,  the  default  capath  value will be
       ignored, and if it is used several times, the last one will  be
       used.
--cert-status
       (TLS) Tells curl to verify the status of the server certificate
       by using the Certificate Status Request  (aka.  OCSP  stapling)
       TLS extension.

       If this option is enabled and the server sends an invalid (e.g.
       expired) response, if the response  suggests  that  the  server
       certificate  has  been  revoked,  or  no  response  at  all  is
       received, the verification fails.

       This is currently only implemented in the OpenSSL,  GnuTLS  and
       NSS backends.
-E, --cert <certificate[:password]>
       (TLS) Tells curl to use the specified client  certificate  file
       when  getting a file with HTTPS, FTPS or another SSL-based pro-
       tocol. The certificate must  be  in  PKCS#12  format  if  using
       Secure  Transport, or PEM format if using any other engine.  If
       the optional password isn't specified, it will be  queried  for
       on  the terminal. Note that this option assumes a "certificate"
       file that is the private key and the  client  certificate  con-
       catenated!  See  -E,  --cert and --key to specify them indepen-
       dently.

       If curl is built against the NSS SSL library then  this  option
       can tell curl the nickname of the certificate to use within the
       NSS database defined by the environment variable SSL_DIR (or by
       default  /etc/pki/nssdb).  If  the NSS PEM PKCS#11 module (lib-
       nsspem.so) is available then PEM files may be  loaded.  If  you
       want  to  use a file from the current directory, please precede
       it with "./" prefix, in order to avoid confusion with  a  nick-
       name.  If the nickname contains ":", it needs to be preceded by
       "\" so that it is not recognized as password delimiter.  If the
       nickname  contains  "\", it needs to be escaped as "\\" so that
       it is not recognized as an escape character.

       (iOS and macOS only) If curl is built against Secure Transport,
       then  the  certificate  string can either be the name of a cer-
       tificate/private key in the system or  user  keychain,  or  the
       path  to  a PKCS#12-encoded certificate and private key. If you
       want to use a file from the current directory,  please  precede
       it  with  "./" prefix, in order to avoid confusion with a nick-
       name.

       If this option is used several times,  the  last  one  will  be
       used.

       See also --cert-type and --key and --key-type.
--connect-timeout <seconds>
       Maximum time in seconds that you  allow  curl's  connection  to
       take.   This  only limits the connection phase, so if curl con-
       nects within the given period it will continue - if not it will
       exit.   Since  version 7.32.0, this option accepts decimal val-
       ues.

       If this option is used several times,  the  last  one  will  be
       used.

       See also -m, --max-time.
-k, --insecure
       (TLS)  By  default, every SSL connection curl makes is verified
       to be secure. This option allows curl to  proceed  and  operate
       even for server connections otherwise considered insecure.

       The  server  connection is verified by making sure the server's
       certificate contains the right name and  verifies  successfully
       using the cert store.

       See this online resource for further details:
        https://curl.haxx.se/docs/sslcerts.html

       See also --proxy-insecure and --cacert.
--interface <name>

       Perform an operation using a specified interface. You can enter
       interface name, IP address or host name. An example could  look
       like:

        curl --interface eth0:1 https://www.example.com/

       If  this  option  is  used  several times, the last one will be
       used.

       See also --dns-interface.
lassik commented 3 years ago

(The reason I perused the curl manpage is that curl has especially comprehensive SSL/TLS support, so it serves as a good example and reference. As a tool, curl is only incidentally related to SSL.)