romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-16 05:06:19 +03:00
Code Issues Projects Releases Packages Wiki Activity
curl/.github/workflows
History
Viktor Szakats 1730407b74
windows: add build option to use the native CA store 
With the same semantics as Apple SecTrust, in both libcurl and the curl
tool, when using non-Schannel TLS backends. In practice it means that
it makes TLS work without manually or implicitly configuring a CA bundle
`.crt` file, such as `curl-ca-bundle.crt`.

To enable:
- autotools: `--enable-ca-native`
- cmake: `-DCURL_CA_NATIVE=ON`
- CPPFLAGS: `-DCURL_CA_NATIVE`

When enabled:
- enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native`
  and `--proxy-ca-native` (curl tool) options by default.
- unsafe search for an on-disk CA bundle gets disabled by default.
  Equivalent to `--disable-ca-search` with autotools,
  `-DCURL_DISABLE_CA_SEARCH=ON` with CMake.
- build-time detection of CA bundle and CA path gets disabled. As with
  Apple SecTrust. This was already the default for Windows.
- native CA can be disabled at run-time with the `--no-ca-native`
  and/or `--no-proxy-ca-native` command-line options.

Rationale: This build option:
- has a repeat and active interest from packagers and users.
- helps integrating curl with Windows for those who need this.
- it also applies to macOS: #17525
  Shipped in curl 8.17.0.
- makes it trivial to use custom certs configured on the OS.
- frees applications/packagers/users from the task of securely
  distributing, and keeping up-to-date, a CA bundle.
- frees potentially many curl tool from configuring a CA bundle manually
  to access HTTPS (and other TLS) URLs. This is traditionally difficult
  on Windows because there is no concept of a universal, protected,
  non-world-writable, location on the file system to securely store
  a CA bundle.
- allows using modern features regardless of Windows version. Some of
  these features are not supported with Schannel (e.g. HTTP/3, ECH) on
  any Windows version.
- is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not
  possible with Schannel, because MultiSSL is not an option, and HTTP/3
  is not supported with Schannel.

Ref: #16181 (previous attempt)
Ref: https://github.com/curl/curl/discussions/9348
Ref: https://github.com/curl/curl/issues/9350
Ref: https://github.com/curl/curl/pull/13111
Ref: https://github.com/microsoft/vcpkg/pull/46459#issuecomment-3162068701
Ref: 22652a5a4c #14582
Ref: eefd03c572 #18703

Closes #18279
2026-01-17 19:18:52 +01:00
..
appveyor-status.yml GHA: switch 12 Linux jobs to arm64 2026-01-09 19:35:16 +01:00
checkdocs.yml tidy-up: merge root packages directory into projects 2026-01-12 23:49:35 +01:00
checksrc.yml build: add curl-lint/lint targets, CURL_LINT cmake option 2026-01-12 16:45:24 +01:00
checkurls.yml GHA: switch 12 Linux jobs to arm64 2026-01-09 19:35:16 +01:00
codeql.yml tidy-up: merge root packages directory into projects 2026-01-12 23:49:35 +01:00
configure-vs-cmake.yml GHA: delete disable-man-db hack, runners doing it by default now 2026-01-11 15:40:21 +01:00
curl-for-win.yml tidy-up: merge root packages directory into projects 2026-01-12 23:49:35 +01:00
distcheck.yml GHA: delete disable-man-db hack, runners doing it by default now 2026-01-11 15:40:21 +01:00
fuzz.yml GHA: silence fresh zizmor 1.21.0 warnings 2026-01-16 13:48:28 +01:00
http3-linux.yml tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
label.yml GHA: set concurrency: where missing 2025-10-24 13:38:11 +02:00
linux-old.yml tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
linux.yml tidy-up: merge root packages directory into projects 2026-01-12 23:49:35 +01:00
macos.yml tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
non-native.yml tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
windows.yml windows: add build option to use the native CA store 2026-01-17 19:18:52 +01:00