CURLOPT_PINNEDPUBLICKEY conflicting documentation

curl.stunt430--- via curl-library Fri, 17 Oct 2025 01:03:07 -0700

The CURLOPT_PINNEDPUBLICKEY option has conflicting documentation in the source 
code and the documentation at https://curl.se


```c
/* The public key in DER form used to validate the peer public key
this option is used only if SSL_VERIFYPEER is true */ 
CURLOPT(CURLOPT_PINNEDPUBLICKEY, CURLOPTTYPE_STRINGPOINT, 230),
```

The above snippet is retrieved from 
[curl.h](https://github.com/curl/curl/blob/f91be14bfb79021e3b9ba769955c1f2c4351e9bf/include/curl/curl.h#L1958)
 from the GitHub repo. The comment above says that the CURLOPT_PINNEDPUBLICKEY 
option is used only if SSL_VERIFYPEER is true. This is in direct contradiction 
to the documentation 
[here](https://curl.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html). The 
documentation says this:

- This option is independent of option 
[CURLOPT_SSL_VERIFYPEER](https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html).
 If you turn off that option then the peer is still verified by public key.

I hope this can be fixed to not be a source of confusion. Thanks!

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

CURLOPT_PINNEDPUBLICKEY conflicting documentation

Reply via email to