From: Dan Fandrich Date: Fri, 12 Sep 2025 07:10:20 +0000 (-0700) Subject: libcurl-security.md: mention long-running connections X-Git-Tag: rc-8_17_0-1~399 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F18533%2Fhead;p=thirdparty%2Fcurl.git libcurl-security.md: mention long-running connections Some applications may want to periodically recheck the remote server certificate, which doesn't happen on a long-running connection. Ref: #18527 Closes #18533 --- diff --git a/docs/libcurl/libcurl-security.md b/docs/libcurl/libcurl-security.md index c6a10cd271..7fbd32974d 100644 --- a/docs/libcurl/libcurl-security.md +++ b/docs/libcurl/libcurl-security.md @@ -98,6 +98,24 @@ Use authenticated protocols protected with HTTPS or SSH. Never ever switch off certificate verification. +# Certificates and Long-running Connections + +Certificate validation of encrypted connections is performed immediately after +a connection is established. That connection could be used for many subsequent +transfers, even if the certificate used for validation expires or is revoked, +the local certificate bundle is changed in a way that would have caused that +certificate to fail validation, the server changes its certificate to one +that would have failed validation, or even if a completely different server is +brought up under the same hostname. This could continue for many hours (or +even years) after such a change occurs, which may not be desired behavior for +some applications. + +Remedies: + +Use the CURLOPT_MAXLIFETIME_CONN(3) option to limit the amount of time that +connections are used after they have been successfully validated. Further +transfers require a new connection with validation performed again. + # Redirects The CURLOPT_FOLLOWLOCATION(3) option automatically follows HTTP