SSL: Add an option to disable certificate revocation checks

  introduced. Exactly as it sounds, it re-introduces the BEAST vulnerability

  but on the other hand it allows curl to connect to that kind of strange

  servers.

Disabling certificate revocation checks

  Some SSL backends may do certificate revocation checks (CRL, OCSP, etc)

  depending on the OS or build configuration. The --ssl-no-revoke option was

  introduced in 7.44.0 to disable revocation checking but currently is only

  supported for WinSSL (the native Windows SSL library), with an exception in

  the case of Windows' Untrusted Publishers blacklist which it seems can't be

  bypassed. This option may have broader support to accommodate other SSL

  backends in the future.

  References:

  http://curl.haxx.se/docs/ssl-compared.html

may use workarounds known to cause interoperability problems with some older

SSL implementations. WARNING: this option loosens the SSL security, and by

using this flag you ask for exactly that.  (Added in 7.25.0)

.IP "--ssl-no-revoke"

(WinSSL) This option tells curl to disable certificate revocation checks.

WARNING: this option loosens the SSL security, and by using this flag you ask

for exactly that.  (Added in 7.44.0)

.IP "--socks4 <host[:port]>"

Use the specified SOCKS4 proxy. If the port number is not specified, it is

assumed at port 1080. (Added in 7.15.2)

.SH DESCRIPTION

Pass a long with a bitmask to tell libcurl about specific SSL behaviors.

\fICURLSSLOPT_ALLOW_BEAST\fP is the only supported bit and by setting this the

user will tell libcurl to not attempt to use any workarounds for a security

flaw in the SSL3 and TLS1.0 protocols.  If this option isn't used or this bit

is set to 0, the SSL layer libcurl uses may use a work-around for this flaw

although it might cause interoperability problems with some (older) SSL

implementations. WARNING: avoiding this work-around lessens the security, and

by setting this option to 1 you ask for exactly that.

\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any

workarounds for a security flaw in the SSL3 and TLS1.0 protocols.  If this

option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a

work-around for this flaw although it might cause interoperability problems

with some (older) SSL implementations. WARNING: avoiding this work-around

lessens the security, and by setting this option to 1 you ask for exactly that.

This option is only supported for DarwinSSL, NSS and OpenSSL.

Added in 7.44.0:

\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation

checks for those SSL backends where such behavior is present. \fBCurrently this

option is only supported for WinSSL (the native Windows SSL library), with an

exception in the case of Windows' Untrusted Publishers blacklist which it seems

can't be bypassed.\fP This option may have broader support to accommodate other

SSL backends in the future.

http://curl.haxx.se/docs/ssl-compared.html

.SH DEFAULT

0

.SH PROTOCOLS

   servers, a user can this way allow the vulnerability back. */

#define CURLSSLOPT_ALLOW_BEAST (1<<0)

/* - NO_REVOKE tells libcurl to disable certificate revocation checks for those

   SSL backends where such behavior is present. */

#define CURLSSLOPT_NO_REVOKE (1<<1)

#ifndef CURL_NO_OLDIES /* define this to test if your app builds with all

                          the obsolete stuff removed! */

  case CURLOPT_SSL_OPTIONS:

    arg = va_arg(param, long);

    data->set.ssl_enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;

    data->set.ssl_enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);

    data->set.ssl_no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);

    break;

#endif