diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc index 208a66718c..149db5878a 100644 --- a/docs/cmdline-opts/Makefile.inc +++ b/docs/cmdline-opts/Makefile.inc @@ -30,6 +30,7 @@ DPAGES = \ append.d \ aws-sigv4.d \ basic.d \ + ca-native.d \ cacert.d \ capath.d \ cert-status.d \ @@ -170,6 +171,7 @@ DPAGES = \ proto.d \ proxy-anyauth.d \ proxy-basic.d \ + proxy-ca-native.d \ proxy-cacert.d \ proxy-capath.d \ proxy-cert-type.d \ diff --git a/docs/cmdline-opts/ca-native.d b/docs/cmdline-opts/ca-native.d new file mode 100644 index 0000000000..30b068a32a --- /dev/null +++ b/docs/cmdline-opts/ca-native.d @@ -0,0 +1,19 @@ +c: Copyright (C) Daniel Stenberg, , et al. +SPDX-License-Identifier: curl +Long: ca-native +Help: Use CA certificates from the native OS +Protocols: TLS +Category: tls +See-also: cacert capath insecure +Example: --ca-native $URL +Added: 8.2.0 +Multi: boolean +--- +Tells curl to use the CA store from the native operating system to verify the +peer. By default, curl will otherwise use a CA store provided in a single file +or directory, but when using this option it will interface the operating +system's own vault. + +This option only works for curl on Windows when built to use OpenSSL. When +curl on Windows is built to use Schannel, this feature is implied and curl +then only uses the native CA store. diff --git a/docs/cmdline-opts/proxy-ca-native.d b/docs/cmdline-opts/proxy-ca-native.d new file mode 100644 index 0000000000..1498947768 --- /dev/null +++ b/docs/cmdline-opts/proxy-ca-native.d @@ -0,0 +1,19 @@ +c: Copyright (C) Daniel Stenberg, , et al. +SPDX-License-Identifier: curl +Long: proxy-ca-native +Help: Use CA certificates from the native OS for proxy +Protocols: TLS +Category: tls +See-also: cacert capath insecure +Example: --ca-native $URL +Added: 8.2.0 +Multi: boolean +--- +Tells curl to use the CA store from the native operating system to verify the +HTTPS proxy. By default, curl will otherwise use a CA store provided in a +single file or directory, but when using this option it will interface the +operating system's own vault. + +This option only works for curl on Windows when built to use OpenSSL. When +curl on Windows is built to use Schannel, this feature is implied and curl +then only uses the native CA store. diff --git a/docs/options-in-versions b/docs/options-in-versions index d34dd33f01..a4307b6abf 100644 --- a/docs/options-in-versions +++ b/docs/options-in-versions @@ -16,6 +16,7 @@ --append (-a) 4.8 --aws-sigv4 7.75.0 --basic 7.10.6 +--ca-native 8.2.0 --cacert 7.5 --capath 7.9.8 --cert (-E) 5.0 @@ -157,6 +158,7 @@ --proxy (-x) 4.0 --proxy-anyauth 7.13.2 --proxy-basic 7.12.0 +--proxy-ca-native 8.2.0 --proxy-cacert 7.52.0 --proxy-capath 7.52.0 --proxy-cert 7.52.0 diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index 9609dcdb73..a0442ff434 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -259,7 +259,8 @@ struct OperationConfig { bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing revocation list errors */ - bool native_ca_store; /* use the native os ca store */ + bool native_ca_store; /* use the native OS CA store */ + bool proxy_native_ca_store; /* use the native OS CA store for proxy */ bool ssl_auto_client_cert; /* automatically locate and use a client certificate for authentication (Schannel) */ bool proxy_ssl_auto_client_cert; /* proxy version of ssl_auto_client_cert */ diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 8a06b6d624..cee56d0baf 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -247,6 +247,8 @@ static const struct LongShort aliases[]= { {"Ed", "key-type", ARG_STRING}, {"Ee", "pass", ARG_STRING}, {"Ef", "engine", ARG_STRING}, + {"EG", "ca-native", ARG_BOOL}, + {"EH", "proxy-ca-native", ARG_BOOL}, {"Eg", "capath", ARG_FILENAME}, {"Eh", "pubkey", ARG_STRING}, {"Ei", "hostpubmd5", ARG_STRING}, @@ -1723,9 +1725,15 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ cleanarg(clearthis); GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); break; - case 'a': /* CA info PEM file */ + case 'a': /* --cacert CA info PEM file */ GetStr(&config->cacert, nextarg); break; + case 'G': /* --ca-native */ + config->native_ca_store = toggle; + break; + case 'H': /* --proxy-ca-native */ + config->proxy_native_ca_store = toggle; + break; case 'b': /* cert file type */ GetStr(&config->cert_type, nextarg); break; diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index 61550de72d..b6f85fcb81 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -51,6 +51,9 @@ const struct helptxt helptext[] = { {" --basic", "Use HTTP Basic Authentication", CURLHELP_AUTH}, + {" --ca-native", + "Use CA certificates from the native OS", + CURLHELP_TLS}, {" --cacert ", "CA certificate to verify peer against", CURLHELP_TLS}, @@ -274,7 +277,7 @@ const struct helptxt helptext[] = { "Use HTTP 1.1", CURLHELP_HTTP}, {" --http2", - "Use HTTP 2", + "Use HTTP/2", CURLHELP_HTTP}, {" --http2-prior-knowledge", "Use HTTP 2 without HTTP/1.1 Upgrade", @@ -474,6 +477,9 @@ const struct helptxt helptext[] = { {" --proxy-basic", "Use Basic authentication on the proxy", CURLHELP_PROXY | CURLHELP_AUTH}, + {" --proxy-ca-native", + "Use CA certificates from the native OS for proxy", + CURLHELP_TLS}, {" --proxy-cacert ", "CA certificate to verify peer against for proxy", CURLHELP_PROXY | CURLHELP_TLS}, diff --git a/src/tool_operate.c b/src/tool_operate.c index ce84183022..9dea412b03 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1779,7 +1779,9 @@ static CURLcode single_transfer(struct GlobalConfig *global, (config->proxy_ssl_allow_beast ? CURLSSLOPT_ALLOW_BEAST : 0) | (config->proxy_ssl_auto_client_cert ? - CURLSSLOPT_AUTO_CLIENT_CERT : 0); + CURLSSLOPT_AUTO_CLIENT_CERT : 0) | + (config->proxy_native_ca_store ? + CURLSSLOPT_NATIVE_CA : 0); if(mask) my_setopt_bitmask(curl, CURLOPT_PROXY_SSL_OPTIONS, mask);