NAME

       CURLINFO_TLS_SESSION, CURLINFO_TLS_SSL_PTR - get TLS session info

SYNOPSIS

       #include <curl/curl.h>

       CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SSL_PTR,
                                  struct curl_tlssessioninfo **session);

       /* if you need compatibility with libcurl < 7.48.0 use
          CURLINFO_TLS_SESSION instead: */

       CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_TLS_SESSION,
                                  struct curl_tlssessioninfo **session);

DESCRIPTION

       Pass  a  pointer  to  a  struct  curl_tlssessioninfo  *.  The pointer is initialized to refer to a struct
       curl_tlssessioninfo * that contains an enum indicating the SSL library  used  for  the  handshake  and  a
       pointer to the respective internal TLS session structure of this underlying SSL library.

       This  option  may  be  useful  for  example to extract certificate information in a format convenient for
       further processing, such as manual validation. Refer to the LIMITATIONS section.

       struct curl_tlssessioninfo {
         curl_sslbackend backend;
         void *internals;
       };

       The backend struct member is one of the defines in the CURLSSLBACKEND_* series: CURLSSLBACKEND_NONE (when
       built     without     TLS     support),      CURLSSLBACKEND_WOLFSSL,      CURLSSLBACKEND_SECURETRANSPORT,
       CURLSSLBACKEND_GNUTLS,     CURLSSLBACKEND_MBEDTLS,    CURLSSLBACKEND_NSS,    CURLSSLBACKEND_OPENSSL    or
       CURLSSLBACKEND_SCHANNEL. (Note that the OpenSSL forks are all reported as just OpenSSL here.)

       The internals struct member points to a TLS library specific  pointer  for  the  active  ("in  use")  SSL
       connection, with the following underlying types:

       GnuTLS gnutls_session_t

       OpenSSL
              CURLINFO_TLS_SESSION(3): SSL_CTX *

              CURLINFO_TLS_SSL_PTR(3):  SSL  *  Since  7.48.0  the internals member can point to these other SSL
              backends as well:

       mbedTLS
              mbedTLS_ssl_context *

       Secure Channel
              CtxtHandle *

       Secure Transport
              SSLContext *

       wolfSSL
              SSL *

       If the internals pointer is NULL then either the SSL backend is not supported, an SSL session has not yet
       been  established  or  the  connection  is  no   longer   associated   with   the   easy   handle   (e.g.
       curl_easy_perform(3) has returned).

LIMITATIONS

       This  option  has  some limitations that could make it unsafe when it comes to the manual verification of
       certificates.

       This option only retrieves the first in-use SSL session pointer for your easy handle, however  your  easy
       handle  may have more than one in-use SSL session if using FTP over SSL. That is because the FTP protocol
       has a control channel and a data channel and one or both may be over SSL. Currently there is  no  way  to
       retrieve a second in-use SSL session associated with an easy handle.

       This  option  has  not  been  thoroughly tested with clear text protocols that can be upgraded/downgraded
       to/from SSL: FTP, SMTP, POP3, IMAP when used with CURLOPT_USE_SSL(3). Though you can to retrieve the  SSL
       pointer,  it  is  possible  that before you can do that, data (including auth) may have already been sent
       over a connection after it was upgraded.

       Renegotiation. If unsafe renegotiation or renegotiation in a way  that  the  certificate  is  allowed  to
       change  is  allowed  by  your  SSL  library  this  may occur and the certificate may change, and data may
       continue to be sent or received after renegotiation but before you are able to get the (possibly) changed
       SSL pointer, with the (possibly) changed certificate information.

       Instead of using this option to poll for certificate changes use  CURLOPT_SSL_CTX_FUNCTION(3)  to  set  a
       verification callback, if supported.  That is safer and does not suffer from any of the problems above.

       How  are  you  using  this  option?  Are you affected by any of these limitations?  Please let us know by
       making a comment at https://github.com/curl/curl/issues/685

PROTOCOLS

       This functionality affects all TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.

       This option works only with the following  TLS  backends:  BearSSL,  GnuTLS,  OpenSSL,  Schannel,  Secure
       Transport, mbedTLS and wolfSSL

EXAMPLE

       #include <curl/curl.h>
       #include <openssl/ssl.h>

       CURL *curl;
       static size_t wf(void *ptr, size_t size, size_t nmemb, void *stream)
       {
         const struct curl_tlssessioninfo *info = NULL;
         CURLcode res = curl_easy_getinfo(curl, CURLINFO_TLS_SSL_PTR, &info);
         if(info && !res) {
           if(CURLSSLBACKEND_OPENSSL == info->backend) {
             printf("OpenSSL ver. %s\n", SSL_get_version((SSL*)info->internals));
           }
         }
         return size * nmemb;
       }

       int main(int argc, char **argv)
       {
         CURLcode res;
         curl = curl_easy_init();
         if(curl) {
           curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
           curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, wf);
           res = curl_easy_perform(curl);
           curl_easy_cleanup(curl);
         }
         return res;
       }

HISTORY

       This  option  supersedes  CURLINFO_TLS_SESSION(3)  which was added in 7.34.0.  This option is exactly the
       same as that option except in the case of OpenSSL.

AVAILABILITY

       Added in curl 7.48.0

RETURN VALUE

       Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.

SEE ALSO

       CURLINFO_TLS_SESSION(3), curl_easy_getinfo(3), curl_easy_setopt(3)

libcurl                                            2024-12-11                            CURLINFO_TLS_SSL_PTR(3)