docs/opts: Mention Schannel client cert type is P12

Schannel backend code behaves same as Secure Transport, it expects a P12
certificate file or the name of a certificate already in the user's OS
key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key)
because they expect the private key to already be available from the
keystore or P12 certificate.

Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260

Closes https://github.com/curl/curl/pull/8587
This commit is contained in:
Jay Satiro 2022-03-12 18:23:12 -05:00
parent ba4a8fa4d1
commit cabcf403ed
7 changed files with 28 additions and 16 deletions

View File

@ -1,13 +1,17 @@
Long: cert-type Long: cert-type
Protocols: TLS Protocols: TLS
Arg: <type> Arg: <type>
Help: Certificate type (DER/PEM/ENG) Help: Certificate type (DER/PEM/ENG/P12)
See-also: cert key key-type See-also: cert key key-type
Category: tls Category: tls
Example: --cert-type PEM --cert file $URL Example: --cert-type PEM --cert file $URL
Added: 7.9.3 Added: 7.9.3
--- ---
Tells curl what type the provided client certificate is using. PEM, DER, ENG Tells curl what type the provided client certificate is using. PEM, DER, ENG
and P12 are recognized types. If not specified, PEM is assumed. and P12 are recognized types.
The default type depends on the TLS backend and is usually PEM, however for
Secure Transport and Schannel it is P12. If --cert is a pkcs11: URI then ENG is
the default type.
If this option is used several times, the last one will be used. If this option is used several times, the last one will be used.

View File

@ -18,4 +18,9 @@ PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
as "pkcs11" if none was provided and the --key-type option will be set as as "pkcs11" if none was provided and the --key-type option will be set as
"ENG" if none was provided. "ENG" if none was provided.
If curl is built against Secure Transport or Schannel then this option is
ignored for TLS protocols (HTTPS, etc). Those backends expect the private key
to be already present in the keychain or PKCS#12 file containing the
certificate.
If this option is used several times, the last one will be used. If this option is used several times, the last one will be used.

View File

@ -33,9 +33,10 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY_SSLCERTTYPE, char *type);
Pass a pointer to a null-terminated string as parameter. The string should be Pass a pointer to a null-terminated string as parameter. The string should be
the format of your client certificate used when connecting to an HTTPS proxy. the format of your client certificate used when connecting to an HTTPS proxy.
Supported formats are "PEM" and "DER", except with Secure Transport. OpenSSL Supported formats are "PEM" and "DER", except with Secure Transport or
(versions 0.9.3 and later) and Secure Transport (on iOS 5 or later, or OS X Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or
10.7 or later) also support "P12" for PKCS#12-encoded files. later, or OS X 10.7 or later) and Schannel support "P12" for PKCS#12-encoded
files.
The application does not have to keep the string around after setting this The application does not have to keep the string around after setting this
option. option.

View File

@ -35,9 +35,9 @@ the file name of your private key used for connecting to the HTTPS proxy. The
default format is "PEM" and can be changed with default format is "PEM" and can be changed with
\fICURLOPT_PROXY_SSLKEYTYPE(3)\fP. \fICURLOPT_PROXY_SSLKEYTYPE(3)\fP.
(iOS and Mac OS X only) This option is ignored if curl was built against (Windows, iOS and Mac OS X) This option is ignored by Secure Transport and
Secure Transport. Secure Transport expects the private key to be already Schannel SSL backends because they expect the private key to be already present
present in the keychain or PKCS#12 file containing the certificate. in the keychain or PKCS#12 file containing the certificate.
The application does not have to keep the string around after setting this The application does not have to keep the string around after setting this
option. option.

View File

@ -31,10 +31,12 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSLCERTTYPE, char *type);
.fi .fi
.SH DESCRIPTION .SH DESCRIPTION
Pass a pointer to a null-terminated string as parameter. The string should be Pass a pointer to a null-terminated string as parameter. The string should be
the format of your certificate. Supported formats are "PEM" and "DER", except the format of your certificate.
with Secure Transport. OpenSSL (versions 0.9.3 and later) and Secure Transport
(on iOS 5 or later, or OS X 10.7 or later) also support "P12" for Supported formats are "PEM" and "DER", except with Secure Transport or
PKCS#12-encoded files. Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or
later, or OS X 10.7 or later) and Schannel support "P12" for PKCS#12-encoded
files.
The application does not have to keep the string around after setting this The application does not have to keep the string around after setting this
option. option.

View File

@ -34,9 +34,9 @@ Pass a pointer to a null-terminated string as parameter. The string should be
the file name of your private key. The default format is "PEM" and can be the file name of your private key. The default format is "PEM" and can be
changed with \fICURLOPT_SSLKEYTYPE(3)\fP. changed with \fICURLOPT_SSLKEYTYPE(3)\fP.
(iOS and Mac OS X only) This option is ignored if curl was built against (Windows, iOS and Mac OS X) This option is ignored by Secure Transport and
Secure Transport. Secure Transport expects the private key to be already Schannel SSL backends because they expect the private key to be already present
present in the keychain or PKCS#12 file containing the certificate. in the keychain or PKCS#12 file containing the certificate.
The application does not have to keep the string around after setting this The application does not have to keep the string around after setting this
option. option.

View File

@ -62,7 +62,7 @@ const struct helptxt helptext[] = {
"Verify the status of the server cert via OCSP-staple", "Verify the status of the server cert via OCSP-staple",
CURLHELP_TLS}, CURLHELP_TLS},
{" --cert-type <type>", {" --cert-type <type>",
"Certificate type (DER/PEM/ENG)", "Certificate type (DER/PEM/ENG/P12)",
CURLHELP_TLS}, CURLHELP_TLS},
{" --ciphers <list of ciphers>", {" --ciphers <list of ciphers>",
"SSL ciphers to use", "SSL ciphers to use",