ssl native_ca_store: always reinit

Add bit `native_ca_store_opt` to keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to calculate every easy transfer if a native CA store shall be used or not. This avoids `native_ca_store` getting stuck on TRUE after being set once. Closes #21902
2026-06-13 19:25:37 +03:00 · 2026-06-08 10:11:30 +02:00 · 2026-06-08 10:11:30 +02:00 · d69bfad3fa
commit d69bfad3fa
parent 435fb96dcf
3 changed files with 28 additions and 19 deletions
--- a/lib/doh.c
+++ b/lib/doh.c
@ -418,7 +418,8 @@ static CURLcode doh_probe_run(struct Curl_easy *data,
  }

  (void)curl_easy_setopt(doh, CURLOPT_SSL_OPTIONS,
-                         (long)data->set.ssl.primary.ssl_options);
+                         ((long)data->set.ssl.primary.ssl_options &
+                           ~CURLSSLOPT_AUTO_CLIENT_CERT));

  doh->state.internal = TRUE;
  doh->master_mid = data->mid; /* master transfer of this one */
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -399,22 +399,6 @@ static CURLcode setopt_RTSP_REQUEST(struct Curl_easy *data, long arg)
 }
 #endif /* !CURL_DISABLE_RTSP */

-#ifdef USE_SSL
-static void set_ssl_options(struct ssl_config_data *ssl,
-                            struct ssl_primary_config *config,
-                            long arg)
-{
-  config->ssl_options = (unsigned char)(arg & 0xff);
-  ssl->enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
-  ssl->no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
-  ssl->no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
-  ssl->revoke_best_effort = !!(arg & CURLSSLOPT_REVOKE_BEST_EFFORT);
-  ssl->native_ca_store = !!(arg & CURLSSLOPT_NATIVE_CA);
-  ssl->auto_client_cert = !!(arg & CURLSSLOPT_AUTO_CLIENT_CERT);
-  ssl->earlydata = !!(arg & CURLSSLOPT_EARLYDATA);
-}
-#endif
-
 static CURLcode setopt_long_bool(struct Curl_easy *data, CURLoption option,
                                 long arg)
 {
@ -994,11 +978,11 @@ static CURLcode setopt_long_ssl(struct Curl_easy *data, CURLoption option,
      s->use_ssl = (unsigned char)arg;
    break;
  case CURLOPT_SSL_OPTIONS:
-    set_ssl_options(&s->ssl, &s->ssl.primary, arg);
+    s->ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
    break;
 #ifndef CURL_DISABLE_PROXY
  case CURLOPT_PROXY_SSL_OPTIONS:
-    set_ssl_options(&s->proxy_ssl, &s->proxy_ssl.primary, arg);
+    s->proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
    break;
 #endif
  case CURLOPT_SSL_ENABLE_NPN:
--- a/lib/vtls/vtls_config.c
+++ b/lib/vtls/vtls_config.c
@ -234,6 +234,25 @@ static bool clone_ssl_primary_config(struct ssl_primary_config *source,
  return TRUE;
 }

+static void ssl_easy_config_compl_options(struct Curl_peer *origin,
+                                          struct Curl_peer *initial_origin,
+                                          struct ssl_config_data *sslc)
+{
+  uint8_t options = sslc->primary.ssl_options;
+  /* If set via CURLOPT_(PROXY_)SSL_OPTIONS, we definitely use it.
+   * If not, we switch it on for supported backends if no custom
+   * ca settings exist. */
+  sslc->native_ca_store = !!(options & CURLSSLOPT_NATIVE_CA);
+  sslc->enable_beast = !!(options & CURLSSLOPT_ALLOW_BEAST);
+  sslc->no_partialchain = !!(options & CURLSSLOPT_NO_PARTIALCHAIN);
+  sslc->no_revoke = !!(options & CURLSSLOPT_NO_REVOKE);
+  sslc->revoke_best_effort = !!(options & CURLSSLOPT_REVOKE_BEST_EFFORT);
+  sslc->earlydata = !!(options & CURLSSLOPT_EARLYDATA);
+
+  sslc->auto_client_cert = Curl_peer_equal(origin, initial_origin) &&
+                           !!(options & CURLSSLOPT_AUTO_CLIENT_CERT);
+}
+
 CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data,
                                       struct Curl_peer *origin)
 {
@ -243,6 +262,8 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data,
  CURLcode result;
 #endif

+  ssl_easy_config_compl_options(origin, data->state.initial_origin, sslc);
+
  if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
 #if defined(USE_APPLE_SECTRUST) || defined(CURL_CA_NATIVE)
    if(!sslc->custom_capath && !sslc->custom_cafile && !sslc->custom_cablob)
@ -308,6 +329,9 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data,

 #ifndef CURL_DISABLE_PROXY
  sslc = &data->set.proxy_ssl;
+  /* no initial origin for proxy, it is not changed for redirects */
+  ssl_easy_config_compl_options(NULL, NULL, sslc);
+
  if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
 #if defined(USE_APPLE_SECTRUST) || defined(CURL_CA_NATIVE)
    if(!sslc->custom_capath && !sslc->custom_cafile && !sslc->custom_cablob)