Long: doh-cert-status
-Help: Verify the status of the DOH server cert via OCSP-staple
+Help: Verify the status of the DoH server cert via OCSP-staple
Protocols: all
Added: 7.76.0
Category: dns tls
---
-Same as --cert-status but used for DOH (DNS-over-HTTPS).
+Same as --cert-status but used for DoH (DNS-over-HTTPS).
Long: doh-insecure
-Help: Allow insecure DOH server connections
+Help: Allow insecure DoH server connections
Protocols: all
Added: 7.76.0
Category: dns tls
---
-Same as --insecure but used for DOH (DNS-over-HTTPS).
+Same as --insecure but used for DoH (DNS-over-HTTPS).
Long: doh-url
Arg: <URL>
-Help: Resolve host names over DOH
+Help: Resolve host names over DoH
Protocols: all
Added: 7.62.0
Category: dns
---
-Specifies which DNS-over-HTTPS (DOH) server to use to resolve hostnames,
+Specifies which DNS-over-HTTPS (DoH) server to use to resolve hostnames,
instead of using the default name resolver mechanism. The URL must be HTTPS.
-Some SSL options that you set for your transfer will apply to DOH since the
+Some SSL options that you set for your transfer will apply to DoH since the
name lookups take place over SSL. However, the certificate verification
settings are not inherited and can be controlled separately via
--doh-insecure and --doh-cert-status.
.IP CURLOPT_DNS_USE_GLOBAL_CACHE
OBSOLETE Enable global DNS cache. See \fICURLOPT_DNS_USE_GLOBAL_CACHE(3)\fP
.IP CURLOPT_DOH_URL
-Use this DOH server for name resolves. See \fICURLOPT_DOH_URL(3)\fP
+Use this DoH server for name resolves. See \fICURLOPT_DOH_URL(3)\fP
.IP CURLOPT_BUFFERSIZE
Ask for alternate buffer size. See \fICURLOPT_BUFFERSIZE(3)\fP
.IP CURLOPT_PORT
.IP CURLOPT_SSL_VERIFYHOST
Verify the host name in the SSL certificate. See \fICURLOPT_SSL_VERIFYHOST(3)\fP
.IP CURLOPT_DOH_SSL_VERIFYHOST
-Verify the host name in the DOH (DNS-over-HTTPS) SSL certificate. See
+Verify the host name in the DoH (DNS-over-HTTPS) SSL certificate. See
\fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP
.IP CURLOPT_PROXY_SSL_VERIFYHOST
Verify the host name in the proxy SSL certificate. See \fICURLOPT_PROXY_SSL_VERIFYHOST(3)\fP
.IP CURLOPT_SSL_VERIFYPEER
Verify the SSL certificate. See \fICURLOPT_SSL_VERIFYPEER(3)\fP
.IP CURLOPT_DOH_SSL_VERIFYPEER
-Verify the DOH (DNS-over-HTTPS) SSL certificate. See
+Verify the DoH (DNS-over-HTTPS) SSL certificate. See
\fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP
.IP CURLOPT_PROXY_SSL_VERIFYPEER
Verify the proxy SSL certificate. See \fICURLOPT_PROXY_SSL_VERIFYPEER(3)\fP
.IP CURLOPT_SSL_VERIFYSTATUS
Verify the SSL certificate's status. See \fICURLOPT_SSL_VERIFYSTATUS(3)\fP
.IP CURLOPT_DOH_SSL_VERIFYSTATUS
-Verify the DOH (DNS-over-HTTPS) SSL certificate's status. See
+Verify the DoH (DNS-over-HTTPS) SSL certificate's status. See
\fICURLOPT_DOH_SSL_VERIFYSTATUS(3)\fP
.IP CURLOPT_CAINFO
CA cert bundle. See \fICURLOPT_CAINFO(3)\fP
.\"
.TH CURLOPT_DOH_SSL_VERIFYHOST 3 "11 Feb 2021" "libcurl 7.76.0" "curl_easy_setopt options"
.SH NAME
-CURLOPT_DOH_SSL_VERIFYHOST \- verify the host name in the DOH SSL certificate
+CURLOPT_DOH_SSL_VERIFYHOST \- verify the host name in the DoH SSL certificate
.SH SYNOPSIS
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DOH_SSL_VERIFYHOST, long verify);
.SH DESCRIPTION
-Pass a long set to 2L as asking curl to \fIverify\fP the DOH (DNS-over-HTTPS)
+Pass a long set to 2L as asking curl to \fIverify\fP the DoH (DNS-over-HTTPS)
server's certificate name fields against the host name.
-This option is the DOH equivalent of \fICURLOPT_SSL_VERIFYHOST(3)\fP and
-only affects requests to the DOH server.
+This option is the DoH equivalent of \fICURLOPT_SSL_VERIFYHOST(3)\fP and
+only affects requests to the DoH server.
When \fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP is 2, the SSL certificate provided by
-the DOH server must indicate that the server name is the same as the server
+the DoH server must indicate that the server name is the same as the server
name to which you meant to connect to, or the connection fails.
-Curl considers the DOH server the intended one when the Common Name field or a
+Curl considers the DoH server the intended one when the Common Name field or a
Subject Alternate Name field in the certificate matches the host name in the
-DOH URL to which you told Curl to connect.
+DoH URL to which you told Curl to connect.
When the \fIverify\fP value is set to 1L it is treated the same as 2L. However
for consistency with the other VERIFYHOST options we suggest use 2 and not 1.
the names used in the certificate. Use that ability with caution!
See also \fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP to verify the digital signature
-of the DOH server certificate. If libcurl is built against NSS and
+of the DoH server certificate. If libcurl is built against NSS and
\fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP is zero,
\fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be
overridden.
.SH DEFAULT
2
.SH PROTOCOLS
-DOH
+DoH
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://cloudflare-dns.com/dns-query");
- /* Disable host name verification of the DOH server */
+ /* Disable host name verification of the DoH server */
curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYHOST, 0L);
curl_easy_perform(curl);
.\"
.TH CURLOPT_DOH_SSL_VERIFYPEER 3 "11 Feb 2021" "libcurl 7.76.0" "curl_easy_setopt options"
.SH NAME
-CURLOPT_DOH_SSL_VERIFYPEER \- verify the DOH SSL certificate
+CURLOPT_DOH_SSL_VERIFYPEER \- verify the DoH SSL certificate
.SH SYNOPSIS
#include <curl/curl.h>
.SH DESCRIPTION
Pass a long as parameter set to 1L to enable or 0L to disable.
-This option tells curl to verify the authenticity of the DOH (DNS-over-HTTPS)
+This option tells curl to verify the authenticity of the DoH (DNS-over-HTTPS)
server's certificate. A value of 1 means curl verifies; 0 (zero) means it
doesn't.
-This option is the DOH equivalent of \fICURLOPT_SSL_VERIFYPEER(3)\fP and
-only affects requests to the DOH server.
+This option is the DoH equivalent of \fICURLOPT_SSL_VERIFYPEER(3)\fP and
+only affects requests to the DoH server.
When negotiating a TLS or SSL connection, the server sends a certificate
indicating its identity. Curl verifies whether the certificate is authentic,
.SH DEFAULT
1
.SH PROTOCOLS
-DOH
+DoH
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://cloudflare-dns.com/dns-query");
- /* Disable certificate verification of the DOH server */
+ /* Disable certificate verification of the DoH server */
curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYPEER, 0L);
curl_easy_perform(curl);
.\"
.TH CURLOPT_DOH_SSL_VERIFYSTATUS 3 "11 Feb 2021" "libcurl 7.76.0" "curl_easy_setopt options"
.SH NAME
-CURLOPT_DOH_SSL_VERIFYSTATUS \- verify the DOH SSL certificate's status
+CURLOPT_DOH_SSL_VERIFYSTATUS \- verify the DoH SSL certificate's status
.SH SYNOPSIS
#include <curl/curl.h>
.SH DESCRIPTION
Pass a long as parameter set to 1 to enable or 0 to disable.
-This option determines whether libcurl verifies the status of the DOH
+This option determines whether libcurl verifies the status of the DoH
(DNS-over-HTTPS) server cert using the "Certificate Status Request" TLS
extension (aka. OCSP stapling).
-This option is the DOH equivalent of \fICURLOPT_SSL_VERIFYSTATUS(3)\fP and
-only affects requests to the DOH server.
+This option is the DoH equivalent of \fICURLOPT_SSL_VERIFYSTATUS(3)\fP and
+only affects requests to the DoH server.
Note that if this option is enabled but the server does not support the TLS
extension, the verification will fail.
.SH DEFAULT
0
.SH PROTOCOLS
-DOH
+DoH
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_DOH_URL, "https://cloudflare-dns.com/dns-query");
- /* Ask for OCSP stapling when verifying the DOH server */
+ /* Ask for OCSP stapling when verifying the DoH server */
curl_easy_setopt(curl, CURLOPT_DOH_SSL_VERIFYSTATUS, 1L);
curl_easy_perform(curl);
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DOH_URL, char *URL);
.SH DESCRIPTION
-Pass in a pointer to a \fIURL\fP for the DOH server to use for name
+Pass in a pointer to a \fIURL\fP for the DoH server to use for name
resolving. The parameter should be a char * to a null-terminated string which
must be URL-encoded in the following format: "https://host:port/path". It MUST
specify a HTTPS URL.
curl sends POST requests to the given DNS-over-HTTPS URL.
-To find the DOH server itself, which might be specified using a name, libcurl
+To find the DoH server itself, which might be specified using a name, libcurl
will use the default name lookup function. You can bootstrap that by providing
-the address for the DOH server with \fICURLOPT_RESOLVE(3)\fP.
+the address for the DoH server with \fICURLOPT_RESOLVE(3)\fP.
-Disable DOH use again by setting this option to NULL.
+Disable DoH use again by setting this option to NULL.
-\fBAdvanced:\fP The DOH lookups use SSL so some SSL settings from your transfer
+\fBAdvanced:\fP The DoH lookups use SSL so some SSL settings from your transfer
are inherited. The hostname and peer certificate verification settings are not
inherited and can be controlled separately via
\fICURLOPT_DOH_SSL_VERIFYHOST(3)\fP and \fICURLOPT_DOH_SSL_VERIFYPEER(3)\fP.
Note \fICURLOPT_SSL_CTX_FUNCTION(3)\fP is inherited.
.SH DEFAULT
-NULL - there is no default DOH URL. If this option isn't set, libcurl will use
+NULL - there is no default DoH URL. If this option isn't set, libcurl will use
the default name resolver.
.SH PROTOCOLS
All
heap space.
Note that \fIcurl_easy_setopt(3)\fP won't actually parse the given string so
-given a bad DOH URL, curl will not detect a problem until it tries to resolve
+given a bad DoH URL, curl will not detect a problem until it tries to resolve
a name with it.
.SH "SEE ALSO"
.BR CURLOPT_VERBOSE "(3), " CURLOPT_RESOLVE "(3), "
unknowingly reusing SSL connections with different properties. To remedy this
you may set \fICURLOPT_FORBID_REUSE(3)\fP from the callback function.
-WARNING: If you are using DNS-over-HTTPS (DOH) via \fICURLOPT_DOH_URL(3)\fP
+WARNING: If you are using DNS-over-HTTPS (DoH) via \fICURLOPT_DOH_URL(3)\fP
then the CTX callback will also be called for those transfers and the curl
handle is set to an internal handle. \fBThis behavior is subject to change.\fP
We recommend before performing your transfer set \fICURLOPT_PRIVATE(3)\fP on
your curl handle so you can identify it in the CTX callback. If you have a
-reason to modify DOH SSL context please let us know on the curl-library mailing
+reason to modify DoH SSL context please let us know on the curl-library mailing
list because we are considering removing this capability.
.SH DEFAULT
NULL
/* Parameters for V4 signature */
CURLOPT(CURLOPT_AWS_SIGV4, CURLOPTTYPE_STRINGPOINT, 305),
- /* Same as CURLOPT_SSL_VERIFYPEER but for DOH (DNS-over-HTTPS) servers. */
+ /* Same as CURLOPT_SSL_VERIFYPEER but for DoH (DNS-over-HTTPS) servers. */
CURLOPT(CURLOPT_DOH_SSL_VERIFYPEER, CURLOPTTYPE_LONG, 306),
- /* Same as CURLOPT_SSL_VERIFYHOST but for DOH (DNS-over-HTTPS) servers. */
+ /* Same as CURLOPT_SSL_VERIFYHOST but for DoH (DNS-over-HTTPS) servers. */
CURLOPT(CURLOPT_DOH_SSL_VERIFYHOST, CURLOPTTYPE_LONG, 307),
- /* Same as CURLOPT_SSL_VERIFYSTATUS but for DOH (DNS-over-HTTPS) servers. */
+ /* Same as CURLOPT_SSL_VERIFYSTATUS but for DoH (DNS-over-HTTPS) servers. */
CURLOPT(CURLOPT_DOH_SSL_VERIFYSTATUS, CURLOPTTYPE_LONG, 308),
/* The CA certificates as "blob" used to validate the peer certificate
return realsize;
}
-/* called from multi.c when this DOH transfer is complete */
+/* called from multi.c when this DoH transfer is complete */
static int doh_done(struct Curl_easy *doh, CURLcode result)
{
struct Curl_easy *data = doh->set.dohfor;
struct dohdata *dohp = data->req.doh;
- /* so one of the DOH request done for the 'data' transfer is now complete! */
+ /* so one of the DoH request done for the 'data' transfer is now complete! */
dohp->pending--;
- infof(data, "a DOH request is completed, %u to go", dohp->pending);
+ infof(data, "a DoH request is completed, %u to go", dohp->pending);
if(result)
- infof(data, "DOH request %s", curl_easy_strerror(result));
+ infof(data, "DoH request %s", curl_easy_strerror(result));
if(!dohp->pending) {
- /* DOH completed */
+ /* DoH completed */
curl_slist_free_all(dohp->headers);
dohp->headers = NULL;
Curl_expire(data, 0, EXPIRE_RUN_NOW);
DOHcode d = doh_encode(host, dnstype, p->dohbuffer, sizeof(p->dohbuffer),
&p->dohlen);
if(d) {
- failf(data, "Failed to encode DOH packet [%d]", d);
+ failf(data, "Failed to encode DoH packet [%d]", d);
return CURLE_OUT_OF_MEMORY;
}
/* Inherit *some* SSL options from the user's transfer. This is a
best-guess as to which options are needed for compatibility. #3661
- Note DOH does not inherit the user's proxy server so proxy SSL settings
+ Note DoH does not inherit the user's proxy server so proxy SSL settings
have no effect and are not inherited. If that changes then two new
options should be added to check doh proxy insecure separately,
CURLOPT_DOH_PROXY_SSL_VERIFYHOST and CURLOPT_DOH_PROXY_SSL_VERIFYPEER.
doh->set.dohfor = data; /* identify for which transfer this is done */
p->easy = doh;
- /* DOH private_data must be null because the user must have a way to
- distinguish their transfer's handle from DOH handles in user
+ /* DoH private_data must be null because the user must have a way to
+ distinguish their transfer's handle from DoH handles in user
callbacks (ie SSL CTX callback). */
DEBUGASSERT(!doh->set.private_data);
}
/*
- * Curl_doh() resolves a name using DOH. It resolves a name and returns a
+ * Curl_doh() resolves a name using DoH. It resolves a name and returns a
* 'Curl_addrinfo *' with the address information.
*/
if(!dohp->headers)
goto error;
- /* create IPv4 DOH request */
+ /* create IPv4 DoH request */
result = dohprobe(data, &dohp->probe[DOH_PROBE_SLOT_IPADDR_V4],
DNS_TYPE_A, hostname, data->set.str[STRING_DOH],
data->multi, dohp->headers);
dohp->pending++;
if(Curl_ipv6works(data)) {
- /* create IPv6 DOH request */
+ /* create IPv6 DoH request */
result = dohprobe(data, &dohp->probe[DOH_PROBE_SLOT_IPADDR_V6],
DNS_TYPE_AAAA, hostname, data->set.str[STRING_DOH],
data->multi, dohp->headers);
for(i = 0; i < d->numaddr; i++) {
const struct dohaddr *a = &d->addr[i];
if(a->type == DNS_TYPE_A) {
- infof(data, "DOH A: %u.%u.%u.%u",
+ infof(data, "DoH A: %u.%u.%u.%u",
a->ip.v4[0], a->ip.v4[1],
a->ip.v4[2], a->ip.v4[3]);
}
char buffer[128];
char *ptr;
size_t len;
- msnprintf(buffer, 128, "DOH AAAA: ");
+ msnprintf(buffer, 128, "DoH AAAA: ");
ptr = &buffer[10];
len = 118;
for(j = 0; j < 16; j += 2) {
* doh2ai()
*
* This function returns a pointer to the first element of a newly allocated
- * Curl_addrinfo struct linked list filled with the data from a set of DOH
+ * Curl_addrinfo struct linked list filled with the data from a set of DoH
* lookups. Curl_addrinfo is meant to work like the addrinfo struct does for
* a IPv6 stack, but usable also for IPv4, all hosts and environments.
*
if(!dohp->probe[DOH_PROBE_SLOT_IPADDR_V4].easy &&
!dohp->probe[DOH_PROBE_SLOT_IPADDR_V6].easy) {
- failf(data, "Could not DOH-resolve: %s", data->state.async.hostname);
+ failf(data, "Could not DoH-resolve: %s", data->state.async.hostname);
return data->conn->bits.proxy?CURLE_COULDNT_RESOLVE_PROXY:
CURLE_COULDNT_RESOLVE_HOST;
}
};
struct dohentry de;
int slot;
- /* remove DOH handles from multi handle and close them */
+ /* remove DoH handles from multi handle and close them */
for(slot = 0; slot < DOH_PROBE_SLOTS; slot++) {
curl_multi_remove_handle(data->multi, dohp->probe[slot].easy);
Curl_close(&dohp->probe[slot].easy);
&de);
Curl_dyn_free(&p->serverdoh);
if(rc[slot]) {
- infof(data, "DOH: %s type %s for %s", doh_strerror(rc[slot]),
+ infof(data, "DoH: %s type %s for %s", doh_strerror(rc[slot]),
type2name(p->dnstype), dohp->host);
}
} /* next slot */
struct Curl_dns_entry *dns;
struct Curl_addrinfo *ai;
- infof(data, "DOH Host name: %s", dohp->host);
+ infof(data, "DoH Host name: %s", dohp->host);
showdoh(data, &de);
ai = doh2ai(&de, dohp->host, dohp->port);
} /* !dohp->pending */
- /* else wait for pending DOH transactions to complete */
+ /* else wait for pending DoH transactions to complete */
return CURLE_OK;
}
void de_cleanup(struct dohentry *d);
#endif
-#else /* if DOH is disabled */
+#else /* if DoH is disabled */
#define Curl_doh(a,b,c,d) NULL
#define Curl_doh_is_resolved(x,y) CURLE_COULDNT_RESOLVE_HOST
#endif
{
#ifdef CURLRES_ASYNCH
if(data->conn->bits.doh)
- /* nothing to wait for during DOH resolve, those handles have their own
+ /* nothing to wait for during DoH resolve, those handles have their own
sockets */
return GETSOCK_BLANK;
return Curl_resolver_getsock(data, socks);
break;
case CURLOPT_DOH_SSL_VERIFYPEER:
/*
- * Enable peer SSL verifying for DOH.
+ * Enable peer SSL verifying for DoH.
*/
data->set.doh_verifypeer = (0 != va_arg(param, long)) ?
TRUE : FALSE;
break;
case CURLOPT_DOH_SSL_VERIFYHOST:
/*
- * Enable verification of the host name in the peer certificate for DOH
+ * Enable verification of the host name in the peer certificate for DoH
*/
arg = va_arg(param, long);
break;
case CURLOPT_DOH_SSL_VERIFYSTATUS:
/*
- * Enable certificate status verifying for DOH.
+ * Enable certificate status verifying for DoH.
*/
if(!Curl_ssl_cert_status_request()) {
result = CURLE_NOT_BUILT_IN;
BIT(disallow_username_in_url); /* disallow username in url */
BIT(doh); /* DNS-over-HTTPS enabled */
BIT(doh_get); /* use GET for DoH requests, instead of POST */
- BIT(doh_verifypeer); /* DOH certificate peer verification */
- BIT(doh_verifyhost); /* DOH certificate hostname verification */
- BIT(doh_verifystatus); /* DOH certificate status verification */
+ BIT(doh_verifypeer); /* DoH certificate peer verification */
+ BIT(doh_verifyhost); /* DoH certificate hostname verification */
+ BIT(doh_verifystatus); /* DoH certificate status verification */
BIT(http09_allowed); /* allow HTTP/0.9 responses */
BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some
recipients */
bool use_httpget;
bool insecure_ok; /* set TRUE to allow insecure SSL connects */
bool doh_insecure_ok; /* set TRUE to allow insecure SSL connects
- for DOH */
+ for DoH */
bool proxy_insecure_ok; /* set TRUE to allow insecure SSL connects
for proxy */
bool terminal_binary_ok;
"DNS server addrs to use",
CURLHELP_DNS},
{" --doh-cert-status",
- "Verify the status of the DOH server cert via OCSP-staple",
+ "Verify the status of the DoH server cert via OCSP-staple",
CURLHELP_DNS | CURLHELP_TLS},
{" --doh-insecure",
- "Allow insecure DOH server connections",
+ "Allow insecure DoH server connections",
CURLHELP_DNS | CURLHELP_TLS},
{" --doh-url <URL>",
- "Resolve host names over DOH",
+ "Resolve host names over DoH",
CURLHELP_DNS},
{"-D, --dump-header <filename>",
"Write the received headers to <filename>",
# Server-side
<reply>
-# This is the DOH response for foo.example.com A 127.0.0.1. This requires that
+# This is the DoH response for foo.example.com A 127.0.0.1. This requires that
# the test server is accessible at that address!
<data1 base64="yes">
http
</server>
-# requires debug so that it can use the DOH server without https
+# requires debug so that it can use the DoH server without https
# requires IPv6 so that we can assume and compare both DoH requests
<features>
ipv6
</features>
<name>
-HTTP GET using DOH
+HTTP GET using DoH
</name>
<command>
http://foo.example.com:%HTTPPORT/%TESTNUMBER --doh-url http://%HOSTIP:%HTTPPORT/%TESTNUMBER0001
projects / thirdparty / curl.git / commitdiff
