| xf.li | 6c8fc1e | 2023-08-12 00:11:09 -0700 | [diff] [blame] | 1 | c: Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. |
| 2 | SPDX-License-Identifier: curl |
| 3 | Long: pinnedpubkey |
| 4 | Arg: <hashes> |
| 5 | Help: FILE/HASHES Public key to verify peer against |
| 6 | Protocols: TLS |
| 7 | Category: tls |
| 8 | Example: --pinnedpubkey keyfile $URL |
| 9 | Example: --pinnedpubkey 'sha256//ce118b51897f4452dc' $URL |
| 10 | Added: 7.39.0 |
| 11 | See-also: hostpubsha256 |
| 12 | Multi: single |
| 13 | --- |
| 14 | Tells curl to use the specified public key file (or hashes) to verify the |
| 15 | peer. This can be a path to a file which contains a single public key in PEM |
| 16 | or DER format, or any number of base64 encoded sha256 hashes preceded by |
| 17 | 'sha256//' and separated by ';'. |
| 18 | |
| 19 | When negotiating a TLS or SSL connection, the server sends a certificate |
| 20 | indicating its identity. A public key is extracted from this certificate and |
| 21 | if it does not exactly match the public key provided to this option, curl will |
| 22 | abort the connection before sending or receiving any data. |
| 23 | |
| 24 | PEM/DER support: |
| 25 | |
| 26 | 7.39.0: OpenSSL, GnuTLS and GSKit |
| 27 | |
| 28 | 7.43.0: NSS and wolfSSL |
| 29 | |
| 30 | 7.47.0: mbedtls |
| 31 | |
| 32 | sha256 support: |
| 33 | |
| 34 | 7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL |
| 35 | |
| 36 | 7.47.0: mbedtls |
| 37 | |
| 38 | Other SSL backends not supported. |