Certificate Revocation List. See \fICURLOPT_CRLFILE(3)\fP
.IP CURLOPT_PROXY_CRLFILE
Proxy Certificate Revocation List. See \fICURLOPT_PROXY_CRLFILE(3)\fP
+.IP CURLOPT_CA_CACHE_TIMEOUT
+Timeout for CA cache. See \fICURLOPT_CA_CACHE_TIMEOUT(3)\fP
.IP CURLOPT_CERTINFO
Extract certificate info. See \fICURLOPT_CERTINFO(3)\fP
.IP CURLOPT_PINNEDPUBLICKEY
--- /dev/null
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" * SPDX-License-Identifier: curl
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_CA_CACHE_TIMEOUT 3 "21 Dec 2022" "libcurl 7.87.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_CA_CACHE_TIMEOUT \- life-time for cached certificate stores
+.SH SYNOPSIS
+.nf
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_CA_CACHE_TIMEOUT, long age);
+.fi
+.SH DESCRIPTION
+Pass a long, this sets the timeout in seconds. This tells libcurl the maximum
+time any cached certificate store it has in memory may be kept and reused for
+new connections. Once the timeout has expired, a subsequent fetch requiring a
+certificate store will have to build a new one.
+
+Building a certificate store from a \fICURLOPT_CAINFO\fP file is a slow
+operation so curl may cache the generated certificate store internally to speed
+up future connections.
+
+Set to zero to completely disable caching, or set to -1 to retain the cached
+store remain forever. By default, libcurl caches this info for 24 hours.
+.SH DEFAULT
+86400 (24 hours)
+.SH PROTOCOLS
+All
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/foo.bin");
+
+ /* only reuse certificate stores for a short time */
+ curl_easy_setopt(curl, CURLOPT_CA_CACHE_TIMEOUT, 60L);
+
+ ret = curl_easy_perform(curl);
+
+ /* in this second request, the cache will not be used if more than
+ sixty seconds have passed since the previous connection */
+ ret = curl_easy_perform(curl);
+
+ curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+This option was added in curl 7.87.0.
+
+Currently the only SSL backend to implement this certificate store caching
+functionality is the OpenSSL (and forks) backend.
+.SH RETURN VALUE
+Returns CURLE_OK
+.SH "SEE ALSO"
+.BR CURLOPT_CAINFO "(3), "
CURLOPT_CAINFO.3 \
CURLOPT_CAINFO_BLOB.3 \
CURLOPT_CAPATH.3 \
+ CURLOPT_CA_CACHE_TIMEOUT.3 \
CURLOPT_CERTINFO.3 \
CURLOPT_CHUNK_BGN_FUNCTION.3 \
CURLOPT_CHUNK_DATA.3 \
CURLOPT_CAINFO 7.4.2
CURLOPT_CAINFO_BLOB 7.77.0
CURLOPT_CAPATH 7.9.8
+CURLOPT_CA_CACHE_TIMEOUT 7.87.0
CURLOPT_CERTINFO 7.19.1
CURLOPT_CHUNK_BGN_FUNCTION 7.21.0
CURLOPT_CHUNK_DATA 7.21.0
/* websockets options */
CURLOPT(CURLOPT_WS_OPTIONS, CURLOPTTYPE_LONG, 320),
+ /* CA cache timeout */
+ CURLOPT(CURLOPT_CA_CACHE_TIMEOUT, CURLOPTTYPE_LONG, 321),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
{"CAINFO", CURLOPT_CAINFO, CURLOT_STRING, 0},
{"CAINFO_BLOB", CURLOPT_CAINFO_BLOB, CURLOT_BLOB, 0},
{"CAPATH", CURLOPT_CAPATH, CURLOT_STRING, 0},
+ {"CA_CACHE_TIMEOUT", CURLOPT_CA_CACHE_TIMEOUT, CURLOT_LONG, 0},
{"CERTINFO", CURLOPT_CERTINFO, CURLOT_LONG, 0},
{"CHUNK_BGN_FUNCTION", CURLOPT_CHUNK_BGN_FUNCTION, CURLOT_FUNCTION, 0},
{"CHUNK_DATA", CURLOPT_CHUNK_DATA, CURLOT_CBPTR, 0},
*/
int Curl_easyopts_check(void)
{
- return ((CURLOPT_LASTENTRY%10000) != (320 + 1));
+ return ((CURLOPT_LASTENTRY%10000) != (321 + 1));
}
#endif
data->set.dns_cache_timeout = (int)arg;
break;
+ case CURLOPT_CA_CACHE_TIMEOUT:
+ arg = va_arg(param, long);
+ if(arg < -1)
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ else if(arg > INT_MAX)
+ arg = INT_MAX;
+
+ data->set.general_ssl.ca_cache_timeout = (int)arg;
+ break;
case CURLOPT_DNS_USE_GLOBAL_CACHE:
/* deprecated */
break;
/* Set the default size of the SSL session ID cache */
set->general_ssl.max_ssl_sessions = 5;
+ /* Timeout every 24 hours by default */
+ set->general_ssl.ca_cache_timeout = 24 * 60 * 60;
set->proxyport = 0;
set->proxytype = CURLPROXY_HTTP; /* defaults to HTTP proxy */
struct ssl_general_config {
size_t max_ssl_sessions; /* SSL session id cache size */
+ int ca_cache_timeout; /* Certificate store cache timeout (seconds) */
};
/* information stored about one single SSL session */
}
#if defined(HAVE_SSL_X509_STORE_SHARE)
-#define X509_STORE_EXPIRY_MS (24 * 60 * 60 * 1000) /* 24 hours */
-static bool cached_x509_store_expired(const struct multi_ssl_backend_data *mb)
+static bool cached_x509_store_expired(const struct Curl_easy *data,
+ const struct multi_ssl_backend_data *mb)
{
+ const struct ssl_general_config *cfg = &data->set.general_ssl;
struct curltime now = Curl_now();
+ timediff_t elapsed_ms = Curl_timediff(now, mb->time);
+ timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
- return Curl_timediff(now, mb->time) >= X509_STORE_EXPIRY_MS;
+ if(timeout_ms < 0)
+ return false;
+
+ return elapsed_ms >= timeout_ms;
}
static bool cached_x509_store_different(
if(multi &&
multi->ssl_backend_data &&
multi->ssl_backend_data->store &&
- !cached_x509_store_expired(multi->ssl_backend_data) &&
+ !cached_x509_store_expired(data, multi->ssl_backend_data) &&
!cached_x509_store_different(multi->ssl_backend_data, conn)) {
store = multi->ssl_backend_data->store;
}
struct ssl_backend_data *backend)
{
CURLcode result = CURLE_OK;
- X509_STORE *cached_store = get_cached_x509_store(data, conn);
+ X509_STORE *cached_store;
+ bool cache_criteria_met;
/* Consider the X509 store cacheable if it comes exclusively from a CAfile,
or no source is provided and we are falling back to openssl's built-in
default. */
- bool cache_criteria_met = SSL_CONN_CONFIG(verifypeer) &&
- !SSL_CONN_CONFIG(CApath) &&
- !SSL_CONN_CONFIG(ca_info_blob) &&
- !SSL_SET_OPTION(primary.CRLfile) &&
- !SSL_SET_OPTION(native_ca_store);
-
+ cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
+ SSL_CONN_CONFIG(verifypeer) &&
+ !SSL_CONN_CONFIG(CApath) &&
+ !SSL_CONN_CONFIG(ca_info_blob) &&
+ !SSL_SET_OPTION(primary.CRLfile) &&
+ !SSL_SET_OPTION(native_ca_store);
+
+ cached_store = get_cached_x509_store(data, conn);
if(cached_store && cache_criteria_met && X509_STORE_up_ref(cached_store)) {
SSL_CTX_set_cert_store(backend->ctx, cached_store);
}
projects / thirdparty / curl.git / commitdiff
