docs: Explain DOH transfers inherit some SSL settings #6688
Conversation
|
but which way is excellent? Do you think we should remove that behavior where DOH handles inherit the CTX callback? I think that might be the right move. |
|
I was primarily thinking of getting the current functionality documented. For the proposed change, I would feel much better if we'd have actual users chime in with feedback... |
|
Ok. The SSL CTX callback is advanced and I think the number of users is probably very small. I have modified the proposed warning in the manpage to solicit feedback, let me know what you think:
|
saw this linked in the other issue as it happens, in addition to DoH we also use CURLOPT_SSL_CTX_FUNCTION to load bundled CA certs (though I don't recall the specifics at the moment, IIRC they're not provided by the OS on all platforms and this ensures that things work regardless of platform and device configuration) I assume in our use case it would be necessary that the function is inherited by the DoH handle (for https to function at all), though also we do not use the the same DoH handle setup callback mentioned before would probably work for us too |
Closes #xxxx
Among other things this documents that CURLOPT_SSL_CTX_FUNCTION is inherited. Since that may be unexpected and it is not currently documented I am considering removing that behavior instead. This is similar to the discussion we had in #6605 about CURLOPT_DEBUGFUNCTION where the user may assume they only have to deal with their handle, and not internal DOH handles. The remedy, if there is actually demand for it, would be like I said in #6605 where we have a callback for advanced users that can be used to set DOH options.
Either way though I think we should document how CURLOPT_SSL_CTX_FUNCTION behaves, because it's possible the user may be doing some advanced verification or debugging through that function.