ssl: support Apple SecTrust configurations

- configure/cmake support for enabling the option - supported in OpenSSL and GnuTLS backends - when configured, Apple SecTrust is the default trust store for peer verification. When one of the CURLOPT_* for adding certificates is used, that default does not apply. - add documentation of build options and SSL use Closes #18703
2026-05-10 21:56:21 +03:00 · 2025-09-24 10:19:46 +02:00 · 2025-09-24 10:19:46 +02:00 · eefd03c572
commit eefd03c572
parent 9cc1ee55a4
29 changed files with 1377 additions and 604 deletions
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@ -743,6 +743,7 @@ scp
 SDK
 se
 SEB
+SecTrust
 SEK
 selectable
 Serv
--- a/.github/workflows/configure-vs-cmake.yml
+++ b/.github/workflows/configure-vs-cmake.yml
@ -92,13 +92,13 @@ jobs:
        run: |
          autoreconf -fi
          export PKG_CONFIG_DEBUG_SPEW=1
-          mkdir bld-am && cd bld-am && ../configure --enable-static=no --with-openssl --without-libpsl --disable-ldap --with-brotli --with-zstd
+          mkdir bld-am && cd bld-am && ../configure --enable-static=no --with-openssl --without-libpsl --disable-ldap --with-brotli --with-zstd --with-apple-sectrust

      - name: 'run cmake'
        run: |
          cmake -B bld-cm -DCURL_WERROR=ON -DCURL_USE_LIBPSL=OFF -DCURL_DISABLE_LDAP=ON \
            -DCMAKE_C_COMPILER_TARGET="$(uname -m | sed 's/arm64/aarch64/')-apple-darwin$(uname -r)" \
-            -DCURL_USE_LIBSSH2=OFF
+            -DCURL_USE_LIBSSH2=OFF -DUSE_APPLE_SECTRUST=ON

      - name: 'configure log'
        run: cat bld-am/config.log 2>/dev/null || true
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -265,6 +265,11 @@ jobs:
            install: libnghttp3 libngtcp2
            install_steps: pytest
            configure: --enable-debug --with-openssl=/opt/homebrew/opt/openssl --with-ngtcp2
+          - name: 'OpenSSL SecTrust'
+            compiler: clang
+            install: libnghttp3 libngtcp2
+            install_steps: pytest
+            configure: --enable-debug --with-openssl=/opt/homebrew/opt/openssl --with-ngtcp2 --with-apple-sectrust
          - name: 'OpenSSL event-based'
            compiler: clang
            configure: --enable-debug --with-openssl=/opt/homebrew/opt/openssl
@ -275,9 +280,9 @@ jobs:
            configure: --enable-debug --disable-ldap --with-openssl=/opt/homebrew/opt/quictls LDFLAGS=-L/opt/homebrew/opt/quictls/lib
            macos-version-min: '10.15'
          # cmake
-          - name: 'OpenSSL gsasl rtmp AppleIDN'
+          - name: 'OpenSSL gsasl rtmp AppleIDN SecTrust'
            install: libnghttp3 libngtcp2 gsasl rtmpdump
-            generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON -DUSE_APPLE_IDN=ON -DUSE_NGTCP2=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON
+            generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON -DUSE_APPLE_IDN=ON -DUSE_NGTCP2=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DUSE_APPLE_SECTRUST=ON
          - name: 'MultiSSL AppleIDN clang-tidy +examples'
            compiler: clang
            install: llvm brotli zstd gnutls nettle libressl krb5 mbedtls gsasl rustls-ffi rtmpdump libssh fish