romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-05 22:04:15 +03:00
Code Issues Projects Releases Packages Wiki Activity

windows: add build option to use the native CA store

Browse source 
With the same semantics as Apple SecTrust, in both libcurl and the curl
tool, when using non-Schannel TLS backends. In practice it means that
it makes TLS work without manually or implicitly configuring a CA bundle
`.crt` file, such as `curl-ca-bundle.crt`.

To enable:
- autotools: `--enable-ca-native`
- cmake: `-DCURL_CA_NATIVE=ON`
- CPPFLAGS: `-DCURL_CA_NATIVE`

When enabled:
- enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native`
  and `--proxy-ca-native` (curl tool) options by default.
- unsafe search for an on-disk CA bundle gets disabled by default.
  Equivalent to `--disable-ca-search` with autotools,
  `-DCURL_DISABLE_CA_SEARCH=ON` with CMake.
- build-time detection of CA bundle and CA path gets disabled. As with
  Apple SecTrust. This was already the default for Windows.
- native CA can be disabled at run-time with the `--no-ca-native`
  and/or `--no-proxy-ca-native` command-line options.

Rationale: This build option:
- has a repeat and active interest from packagers and users.
- helps integrating curl with Windows for those who need this.
- it also applies to macOS: #17525
  Shipped in curl 8.17.0.
- makes it trivial to use custom certs configured on the OS.
- frees applications/packagers/users from the task of securely
  distributing, and keeping up-to-date, a CA bundle.
- frees potentially many curl tool from configuring a CA bundle manually
  to access HTTPS (and other TLS) URLs. This is traditionally difficult
  on Windows because there is no concept of a universal, protected,
  non-world-writable, location on the file system to securely store
  a CA bundle.
- allows using modern features regardless of Windows version. Some of
  these features are not supported with Schannel (e.g. HTTP/3, ECH) on
  any Windows version.
- is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not
  possible with Schannel, because MultiSSL is not an option, and HTTP/3
  is not supported with Schannel.

Ref: #16181 (previous attempt)
Ref: https://github.com/curl/curl/discussions/9348
Ref: https://github.com/curl/curl/issues/9350
Ref: https://github.com/curl/curl/pull/13111
Ref: https://github.com/microsoft/vcpkg/pull/46459#issuecomment-3162068701
Ref: 22652a5a4c #14582
Ref: eefd03c572 #18703

Closes #18279
This commit is contained in:
Viktor Szakats 2025-08-14 00:48:00 +02:00
parent 5aa303f1bf
commit 1730407b74
No known key found for this signature in database
GPG key ID: B5ABD165E2AEF201
9 changed files with 83 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/windows.yml vendored
View file

@ -200,7 +200,7 @@ jobs:
- { build: 'autotools', sys: 'msys' , env: 'x86_64' , tflags: '' , config: '--with-openssl', install: 'openssl-devel libssh2-devel', name: 'default R' }
# MinGW
- { build: 'autotools', sys: 'mingw64' , env: 'x86_64' , tflags: 'skiprun' , config: '--enable-debug --with-openssl --disable-threaded-resolver --disable-curldebug --enable-static --without-zlib', install: 'mingw-w64-x86_64-openssl mingw-w64-x86_64-libssh2', name: 'default' }
- { build: 'autotools', sys: 'mingw64' , env: 'x86_64' , tflags: '' , config: '--enable-debug --with-openssl --enable-windows-unicode --enable-ares --with-openssl-quic --enable-static --disable-shared', install: 'mingw-w64-x86_64-c-ares mingw-w64-x86_64-openssl mingw-w64-x86_64-nghttp3 mingw-w64-x86_64-libssh2', name: 'c-ares U' }
- { build: 'autotools', sys: 'mingw64' , env: 'x86_64' , tflags: '' , config: '--enable-debug --with-openssl --enable-windows-unicode --enable-ares --with-openssl-quic --enable-static --disable-shared --enable-ca-native', install: 'mingw-w64-x86_64-c-ares mingw-w64-x86_64-openssl mingw-w64-x86_64-nghttp3 mingw-w64-x86_64-libssh2', name: 'c-ares U' }
- { build: 'cmake' , sys: 'mingw64' , env: 'x86_64' , tflags: '--min=1650', config: '-DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_SCHANNEL=ON -DENABLE_UNICODE=ON -DENABLE_ARES=ON', install: 'mingw-w64-x86_64-c-ares mingw-w64-x86_64-libssh2', type: 'Debug', name: 'schannel c-ares U' }
# MinGW torture
- { build: 'cmake' , sys: 'mingw64' , env: 'x86_64' , tflags: '-t --shallow=13 --min=700 1 to 950' , config: '-DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_SCHANNEL=ON -DENABLE_UNICODE=ON -DENABLE_ARES=ON', install: 'mingw-w64-x86_64-c-ares mingw-w64-x86_64-libssh2', type: 'Debug', name: 'schannel U torture 1' }
@ -764,6 +764,7 @@ jobs:
-DNGTCP2_INCLUDE_DIR=/ucrt64/include
-DNGTCP2_LIBRARY=/ucrt64/lib/libngtcp2.dll.a
-DNGTCP2_CRYPTO_OSSL_LIBRARY=/ucrt64/lib/libngtcp2_crypto_ossl.dll.a
-DCURL_CA_NATIVE=ON
- name: 'schannel U'
install-vcpkg: 'zlib libssh2[core,zlib]'