From bbdb869ec7e708d12128784a13a1b9e34c67b450 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Fri, 12 Sep 2025 00:10:20 -0700
Subject: [PATCH] libcurl-security.md: mention long-running connections

Some applications may want to periodically recheck the remote server
certificate, which doesn't happen on a long-running connection.

Ref: #18527
Closes #18533
---
 docs/libcurl/libcurl-security.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/libcurl/libcurl-security.md b/docs/libcurl/libcurl-security.md
index c6a10cd271..7fbd32974d 100644
--- a/docs/libcurl/libcurl-security.md
+++ b/docs/libcurl/libcurl-security.md
@@ -98,6 +98,24 @@ Use authenticated protocols protected with HTTPS or SSH.
 
 Never ever switch off certificate verification.
 
+# Certificates and Long-running Connections
+
+Certificate validation of encrypted connections is performed immediately after
+a connection is established. That connection could be used for many subsequent
+transfers, even if the certificate used for validation expires or is revoked,
+the local certificate bundle is changed in a way that would have caused that
+certificate to fail validation, the server changes its certificate to one
+that would have failed validation, or even if a completely different server is
+brought up under the same hostname. This could continue for many hours (or
+even years) after such a change occurs, which may not be desired behavior for
+some applications.
+
+Remedies:
+
+Use the CURLOPT_MAXLIFETIME_CONN(3) option to limit the amount of time that
+connections are used after they have been successfully validated. Further
+transfers require a new connection with validation performed again.
+
 # Redirects
 
 The CURLOPT_FOLLOWLOCATION(3) option automatically follows HTTP
-- 
2.47.3