From: Keno Fischer Date: Tue, 24 Jun 2025 22:33:12 +0000 (-0400) Subject: docs: reflect that delimiter-separated capath is only OpenSSL X-Git-Tag: rc-8_15_0-2~25 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=40dcf5567c3c212c78c4671aeacba8f55ec013a1;p=thirdparty%2Fcurl.git docs: reflect that delimiter-separated capath is only OpenSSL curl passes down the capath directly to the backends. OpenSSL will then delimiter-separate this path internally to support multiple directories (using its certificate hash scheme). However, the other backends (wolfSSL, mbedTLS, gnutls) only expect a single directory (and do not use the hash scheme, preferring to iterate the directory and load all files). This adjusts the `--capath` documentation to reflect that multiple paths is an OpenSSL-specific feature. Alternatively, curl could delimiter-separate these itself, but I'm not sure it's worth it. Ref https://github.com/JuliaLang/NetworkOptions.jl/issues/41 Closes #17737 --- diff --git a/docs/cmdline-opts/capath.md b/docs/cmdline-opts/capath.md index 23391ea602..68bc86fbbc 100644 --- a/docs/cmdline-opts/capath.md +++ b/docs/cmdline-opts/capath.md @@ -18,9 +18,11 @@ Example: # `--capath` -Use the specified certificate directory to verify the peer. Multiple paths can -be provided by separating them with colon (`:`) (e.g. `path1:path2:path3`). The -certificates must be in PEM format, and if curl is built against OpenSSL, the +Use the specified certificate directory to verify the peer. If curl is built against +OpenSSL, multiple paths can be provided by separating them with the appropriate platform-specific +separator (e.g. `path1:path2:path3` on Unix-style platforms for `path1;path2;path3` on Windows). + +The certificates must be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many