From d7bbc78360152a448e47fc1d202ab0b6a315df6d Mon Sep 17 00:00:00 2001
From: Frank Buss <fb@frank-buss.de>
Date: Tue, 20 Jan 2026 00:03:00 +0100
Subject: [PATCH] tls: add new SSLSUPP flags for several options

So that curl_easy_setopt() correctly returns error for those not
supported by the backend.

Closes #20364
---
 lib/setopt.c       | 16 ++++++++++++----
 lib/vtls/gtls.c    |  4 +++-
 lib/vtls/mbedtls.c |  6 +++++-
 lib/vtls/openssl.c |  6 +++++-
 lib/vtls/rustls.c  |  3 ++-
 lib/vtls/vtls.h    |  4 ++++
 lib/vtls/wolfssl.c |  3 ++-
 7 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/lib/setopt.c b/lib/setopt.c
index 713a6d2d7c..2fc90c25ec 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -1867,7 +1867,9 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
      * Set CRL file info for SSL connection. Specify filename of the CRL
      * to check certificates revocation
      */
-    return Curl_setstropt(&s->str[STRING_SSL_CRLFILE], ptr);
+    if(Curl_ssl_supports(data, SSLSUPP_CRLFILE))
+      return Curl_setstropt(&s->str[STRING_SSL_CRLFILE], ptr);
+    return CURLE_NOT_BUILT_IN;
   case CURLOPT_SSL_CIPHER_LIST:
     if(Curl_ssl_supports(data, SSLSUPP_CIPHER_LIST))
       /* set a list of cipher we want to use in the SSL connection */
@@ -2265,7 +2267,9 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
      * Set Issuer certificate file
      * to check certificates issuer
      */
-    return Curl_setstropt(&s->str[STRING_SSL_ISSUERCERT], ptr);
+    if(Curl_ssl_supports(data, SSLSUPP_ISSUERCERT))
+      return Curl_setstropt(&s->str[STRING_SSL_ISSUERCERT], ptr);
+    return CURLE_NOT_BUILT_IN;
   case CURLOPT_PRIVATE:
     /*
      * Set private data pointer.
@@ -2278,7 +2282,9 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
      * Set accepted curves in SSL connection setup.
      * Specify colon-delimited list of curve algorithm names.
      */
-    return Curl_setstropt(&s->str[STRING_SSL_EC_CURVES], ptr);
+    if(Curl_ssl_supports(data, SSLSUPP_SSL_EC_CURVES))
+      return Curl_setstropt(&s->str[STRING_SSL_EC_CURVES], ptr);
+    return CURLE_NOT_BUILT_IN;
   case CURLOPT_SSL_SIGNATURE_ALGORITHMS:
     /*
      * Set accepted signature algorithms.
@@ -2885,7 +2891,9 @@ static CURLcode setopt_blob(struct Curl_easy *data, CURLoption option,
     /*
      * Blob that holds Issuer certificate to check certificates issuer
      */
-    return Curl_setblobopt(&s->blobs[BLOB_SSL_ISSUERCERT], blob);
+    if(Curl_ssl_supports(data, SSLSUPP_ISSUERCERT_BLOB))
+      return Curl_setblobopt(&s->blobs[BLOB_SSL_ISSUERCERT], blob);
+    return CURLE_NOT_BUILT_IN;
 
   default:
     return CURLE_UNKNOWN_OPTION;
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index ae9e0e82b7..a1a56f5c6a 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -2296,7 +2296,9 @@ const struct Curl_ssl Curl_ssl_gnutls = {
   SSLSUPP_HTTPS_PROXY |
   SSLSUPP_CAINFO_BLOB |
   SSLSUPP_CIPHER_LIST |
-  SSLSUPP_CA_CACHE,
+  SSLSUPP_CA_CACHE |
+  SSLSUPP_ISSUERCERT |
+  SSLSUPP_CRLFILE,
 
   sizeof(struct gtls_ssl_backend_data),
 
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 43ac968977..c6a014478e 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -1526,7 +1526,11 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
   SSLSUPP_TLS13_CIPHERSUITES |
 #endif
   SSLSUPP_HTTPS_PROXY |
-  SSLSUPP_CIPHER_LIST,
+  SSLSUPP_CIPHER_LIST |
+#ifdef MBEDTLS_X509_CRL_PARSE_C
+  SSLSUPP_CRLFILE |
+#endif
+  0,
 
   sizeof(struct mbed_ssl_backend_data),
 
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index bab1b9a3a1..7c7f9ccb15 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5415,7 +5415,11 @@ const struct Curl_ssl Curl_ssl_openssl = {
 #endif
   SSLSUPP_CA_CACHE |
   SSLSUPP_HTTPS_PROXY |
-  SSLSUPP_CIPHER_LIST,
+  SSLSUPP_CIPHER_LIST |
+  SSLSUPP_ISSUERCERT |
+  SSLSUPP_ISSUERCERT_BLOB |
+  SSLSUPP_SSL_EC_CURVES |
+  SSLSUPP_CRLFILE,
 
   sizeof(struct ossl_ctx),
 
diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c
index b7793ebdb7..552f153b65 100644
--- a/lib/vtls/rustls.c
+++ b/lib/vtls/rustls.c
@@ -1399,7 +1399,8 @@ const struct Curl_ssl Curl_ssl_rustls = {
   SSLSUPP_CIPHER_LIST |
   SSLSUPP_TLS13_CIPHERSUITES |
   SSLSUPP_CERTINFO |
-  SSLSUPP_ECH,
+  SSLSUPP_ECH |
+  SSLSUPP_CRLFILE,
   sizeof(struct rustls_ssl_backend_data),
 
   NULL,                            /* init */
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index 273c6cce3f..bf19572fc6 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -43,6 +43,10 @@ struct dynbuf;
 #define SSLSUPP_CA_CACHE     (1 << 8)
 #define SSLSUPP_CIPHER_LIST  (1 << 9) /* supports TLS 1.0-1.2 ciphersuites */
 #define SSLSUPP_SIGNATURE_ALGORITHMS (1 << 10) /* supports TLS sigalgs */
+#define SSLSUPP_ISSUERCERT   (1 << 11) /* supports CURLOPT_ISSUERCERT */
+#define SSLSUPP_SSL_EC_CURVES (1 << 12) /* supports CURLOPT_SSL_EC_CURVES */
+#define SSLSUPP_CRLFILE      (1 << 13) /* supports CURLOPT_CRLFILE */
+#define SSLSUPP_ISSUERCERT_BLOB (1 << 14) /* CURLOPT_ISSUERCERT_BLOB */
 
 #ifdef USE_ECH
 # include "../curlx/base64.h"
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 5f9baed358..b820ee06cf 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -2283,7 +2283,8 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
   SSLSUPP_TLS13_CIPHERSUITES |
 #endif
   SSLSUPP_CA_CACHE |
-  SSLSUPP_CIPHER_LIST,
+  SSLSUPP_CIPHER_LIST |
+  SSLSUPP_SSL_EC_CURVES,
 
   sizeof(struct wssl_ctx),