summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-08-27 08:30:57 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-08-27 10:49:58 +0200
commit0e7e5e1ad14eeb9fd00f69c95dd956db08e289ed (patch)
tree0862c33d39b243a5132ed5aa2e6eafd8564e9004
parentf16bed0c45dc63864fe2097b7df939276d96d62b (diff)
downloadcurl-0e7e5e1ad14eeb9fd00f69c95dd956db08e289ed.tar.gz
CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip]
Added a warning! Closes #2915
-rw-r--r--docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.39
1 files changed, 7 insertions, 2 deletions
diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
index 3a54ef36c..0d736107b 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -41,7 +41,7 @@ shown above.
This callback function gets called by libcurl just before the initialization
of an SSL connection after having processed all other SSL related options to
-give a last chance to an application to modify the behaviour of the SSL
+give a last chance to an application to modify the behavior of the SSL
initialization. The \fIssl_ctx\fP parameter is actually a pointer to the SSL
library's \fISSL_CTX\fP for OpenSSL or wolfSSL/CyaSSL, and a pointer to
\fImbedtls_ssl_config\fP for mbedTLS. If an error is returned from the callback
@@ -57,6 +57,11 @@ To use this properly, a non-trivial amount of knowledge of your SSL library is
necessary. For example, you can use this function to call library-specific
callbacks to add additional validation code for certificates, and even to
change the actual URI of an HTTPS request.
+
+WARNING: The \fICURLOPT_SSL_CTX_FUNCTION(3)\fP callback allows the application
+to reach in and modify SSL details in the connection without libcurl itself
+knowing anything about it, which then subsequently can lead to libcurl
+unknowingly reusing SSL connections with different properties.
.SH DEFAULT
NULL
.SH PROTOCOLS