openssl: Don't ignore CA paths when using Windows CA store (redux)

.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA.

This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it
does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded
default locations. Instead the native Windows CA store can be used at
the same time.

---

This behavior was originally added over two years ago in abbc5d60
(#5585) but then 83393b1a (#7892) broke it over a year ago, I assume
inadvertently.

The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely
rarely used.

Ref: https://github.com/curl/curl/pull/5585
Ref: https://github.com/curl/curl/pull/7892
Ref: https://curl.se/mail/lib-2023-01/0019.html

Closes https://github.com/curl/curl/pull/10244
This commit is contained in:
Jay Satiro 2023-01-05 18:32:27 -05:00
parent 6113dec2a8
commit c4cd0e2be9
4 changed files with 45 additions and 22 deletions

View file

@ -20,6 +20,5 @@ Experimental support in curl means:
- The Hyper HTTP backend
- HTTP/3 support and options
- `CURLSSLOPT_NATIVE_CA` (No configure option, feature built in when supported)
- The rustls backend
- WebSocket

View file

@ -60,6 +60,12 @@ offline distribution points for those SSL backends where such behavior is
present. This option is only supported for Schannel (the native Windows SSL
library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
precedence. (Added in 7.70.0)
.IP CURLSSLOPT_NATIVE_CA
Tell libcurl to use the operating system's native CA store for certificate
verification. Works only on Windows when built to use OpenSSL. If you set this
option and also set a CA certificate file or directory then during verification
those certificates are searched in addition to the native CA store.
(Added in 7.71.0)
.IP CURLSSLOPT_AUTO_CLIENT_CERT
Tell libcurl to automatically locate and use a client certificate for
authentication, when requested by the server. This option is only supported

View file

@ -61,8 +61,9 @@ library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
precedence. (Added in 7.70.0)
.IP CURLSSLOPT_NATIVE_CA
Tell libcurl to use the operating system's native CA store for certificate
verification. Works only on Windows when built to use OpenSSL. This option is
experimental and behavior is subject to change.
verification. Works only on Windows when built to use OpenSSL. If you set this
option and also set a CA certificate file or directory then during verification
those certificates are searched in addition to the native CA store.
(Added in 7.71.0)
.IP CURLSSLOPT_AUTO_CLIENT_CERT
Tell libcurl to automatically locate and use a client certificate for