ca-native.md: sync with CURLSSLOPT_NATIVE_CA
- Add that the native CA store is used to verify certs in addition to the other certificate location settings. Basically clarify that --ca-native does not override --cacert etc. Prior to this change that behavior was only documented in CURLSSLOPT_NATIVE_CA which is what --ca-native maps to. Ref: https://github.com/curl/curl/pull/16181#issuecomment-2663998865 Closes https://github.com/curl/curl/pull/16373
This commit is contained in:
Jay Satiro
parent
3100fb45b7
commit
2335cbaa21
@ -12,18 +12,27 @@ See-also:
|
||||
- capath
|
||||
- dump-ca-embed
|
||||
- insecure
|
||||
- proxy-ca-native
|
||||
Example:
|
||||
- --ca-native $URL
|
||||
---
|
||||
|
||||
# `--ca-native`
|
||||
|
||||
Use the CA store from the native operating system to verify the peer. By
|
||||
default, curl otherwise uses a CA store provided in a single file or
|
||||
directory, but when using this option it interfaces the operating system's own
|
||||
vault.
|
||||
Use the operating system's native CA store for certificate verification.
|
||||
|
||||
This option works for curl on Windows when built to use OpenSSL, wolfSSL
|
||||
(added in 8.3.0) or GnuTLS (added in 8.5.0). When curl on Windows is built to
|
||||
use Schannel, this feature is implied and curl then only uses the native CA
|
||||
store.
|
||||
This option is independent of other CA certificate locations set at run time or
|
||||
build time. Those locations are searched in addition to the native CA store.
|
||||
|
||||
This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on
|
||||
Windows. (Added in 7.71.0)
|
||||
|
||||
This option works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo,
|
||||
Fedora, RHEL), macOS, Android and iOS. (Added in 8.3.0)
|
||||
|
||||
This option works with GnuTLS. (Added in 8.5.0)
|
||||
|
||||
This option currently has no effect for Schannel or Secure Transport. Those are
|
||||
native TLS libraries from Microsoft and Apple, respectively, that by default
|
||||
use the native CA store for verification unless overridden by a CA certificate
|
||||
location setting.
|
||||
|
||||
@ -8,6 +8,7 @@ Category: tls
|
||||
Added: 8.2.0
|
||||
Multi: boolean
|
||||
See-also:
|
||||
- ca-native
|
||||
- cacert
|
||||
- capath
|
||||
- dump-ca-embed
|
||||
@ -18,11 +19,12 @@ Example:
|
||||
|
||||
# `--proxy-ca-native`
|
||||
|
||||
Use the CA store from the native operating system to verify the HTTPS proxy.
|
||||
By default, curl uses a CA store provided in a single file or directory, but
|
||||
when using this option it interfaces the operating system's own vault.
|
||||
Use the operating system's native CA store for certificate verification of the
|
||||
HTTPS proxy.
|
||||
|
||||
This option works for curl on Windows when built to use OpenSSL, wolfSSL
|
||||
(added in 8.3.0) or GnuTLS (added in 8.5.0). When curl on Windows is built to
|
||||
use Schannel, this feature is implied and curl then only uses the native CA
|
||||
store.
|
||||
This option is independent of other HTTPS proxy CA certificate locations set at
|
||||
run time or build time. Those locations are searched in addition to the native
|
||||
CA store.
|
||||
|
||||
Equivalent to --ca-native but used in HTTPS proxy context. Refer to --ca-native
|
||||
for TLS backend limitations.
|
||||
|
||||
@ -70,13 +70,13 @@ precedence. (Added in 7.70.0)
|
||||
## CURLSSLOPT_NATIVE_CA
|
||||
|
||||
Tell libcurl to use the operating system's native CA store for certificate
|
||||
verification. If you set this option and also set a CA certificate file or
|
||||
directory then during verification those certificates are searched in addition
|
||||
to the native CA store.
|
||||
verification. This option is independent of other CA certificate locations set
|
||||
at run time or build time. Those locations are searched in addition to the
|
||||
native CA store.
|
||||
|
||||
Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
|
||||
macOS, Android and iOS (added in 8.3.0), with GnuTLS (added in 8.5.0) or on
|
||||
Windows when built to use OpenSSL (Added in 7.71.0).
|
||||
macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
|
||||
OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
|
||||
|
||||
## CURLSSLOPT_AUTO_CLIENT_CERT
|
||||
|
||||
|
||||
@ -68,13 +68,13 @@ precedence. (Added in 7.70.0)
|
||||
## CURLSSLOPT_NATIVE_CA
|
||||
|
||||
Tell libcurl to use the operating system's native CA store for certificate
|
||||
verification. If you set this option and also set a CA certificate file or
|
||||
directory then during verification those certificates are searched in addition
|
||||
to the native CA store.
|
||||
verification. This option is independent of other CA certificate locations set
|
||||
at run time or build time. Those locations are searched in addition to the
|
||||
native CA store.
|
||||
|
||||
Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
|
||||
macOS, Android and iOS (added in 8.3.0), with GnuTLS (added in 8.5.0) or on
|
||||
Windows when built to use OpenSSL (Added in 7.71.0).
|
||||
macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
|
||||
OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
|
||||
|
||||
## CURLSSLOPT_AUTO_CLIENT_CERT
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user