curl: add --proxy-pinnedpubkey

To verify a proxy's public key. For when using HTTPS proxies. Fixes #2192 Closes #2268
2026-05-08 15:47:29 +03:00 · 2018-01-28 14:15:56 +01:00 · 2018-01-28 14:15:56 +01:00 · fecec1d8ae
commit fecec1d8ae
parent b7db284266
6 changed files with 29 additions and 4 deletions
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@ -34,7 +34,7 @@ DPAGES = abstract-unix-socket.d anyauth.d append.d basic.d cacert.d capath.d cer
  remote-name-all.d remote-name.d remote-time.d request.d resolve.d     \
  retry-connrefused.d retry.d retry-delay.d retry-max-time.d sasl-ir.d  \
  service-name.d show-error.d silent.d socks4a.d socks4.d socks5.d      \
-  socks5-basic.d socks5-gssapi.d                                        \
+  socks5-basic.d socks5-gssapi.d proxy-pinnedpubkey.d                   \
  socks5-gssapi-nec.d socks5-gssapi-service.d socks5-hostname.d         \
  speed-limit.d speed-time.d ssl-allow-beast.d ssl.d ssl-no-revoke.d    \
  ssl-reqd.d sslv2.d sslv3.d stderr.d suppress-connect-headers.d        \
--- a/docs/cmdline-opts/proxy-pinnedpubkey.d
+++ b/docs/cmdline-opts/proxy-pinnedpubkey.d
@ -0,0 +1,16 @@
+Long: proxy-pinnedpubkey
+Arg: <hashes>
+Help: FILE/HASHES public key to verify proxy with
+Protocols: TLS
+---
+Tells curl to use the specified public key file (or hashes) to verify the
+proxy. This can be a path to a file which contains a single public key in PEM
+or DER format, or any number of base64 encoded sha256 hashes preceded by
+\'sha256//\' and separated by \';\'
+
+When negotiating a TLS or SSL connection, the server sends a certificate
+indicating its identity. A public key is extracted from this certificate and
+if it does not exactly match the public key provided to this option, curl will
+abort the connection before sending or receiving any data.
+
+If this option is used several times, the last one will be used.