Valid certificates are rejected as self signed with Apple SecTrust and OpenSSL

[ffath-vo]

I did this

I built curl 8.17.0 with Apple SecTrust and OpenSSL 3.5.4, running in an environment where OpenSSL does not hav access to any CA certificate.
Some URL are rejected as having a self-signed certificate (they are in some way, but with a valid CA).
Curl does not seem to validate the certificate with SecTrust in this case (the related log "SSL certificate verified via Apple SecTrust" is missing).

`$ curl -v 'https://devstreaming-cdn.apple.com/videos/streaming/examples/bipbop_16x9/bipbop_16x9_variant.m3u8'

• Host devstreaming-cdn.apple.com:443 was resolved.
• IPv6: (none)
• IPv4: 17.253.109.201, 17.253.113.202
• Trying 17.253.109.201:443...
• ALPN: curl offers http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• SSL Trust Anchors:
• Native: Apple SecTrust
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
• ALPN: server accepted http/1.1
• Server certificate:
• subject: C=US; ST=California; O=Apple Inc.; CN=devstreaming-cdn.apple.com
• start date: Nov 17 23:57:14 2025 GMT
• expire date: Feb 11 19:12:39 2026 GMT
• issuer: CN=Apple Public Server ECC CA 11 - G1; O=Apple Inc.; ST=California; C=US
• Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
• Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
• Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
• subjectAltName: "devstreaming-cdn.apple.com" matches cert's "devstreaming-cdn.apple.com"
• SSL certificate OpenSSL verify result: self-signed certificate in certificate chain (19)
• closing connection #0
  curl: (60) SSL certificate OpenSSL verify result: self-signed certificate in certificate chain (19)`

I expected the following

Being able to fetch the URL (it's a valid HLS test stream).

curl/libcurl version

curl 8.17.0 (aarch64-apple-darwin25.1.0) libcurl/8.17.0 OpenSSL/3.5.4 zlib/1.2.12
Release-Date: 2025-11-05
Protocols: dict file gopher gophers http https ipfs ipns mqtt rtsp smb smbs tftp ws wss
Features: alt-svc AppleSecTrust AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets

operating system

macOS 26.1

[icing]

Thanks for the report. The server devstreaming-cdn.apple.com includes its "root" certificate in the certificate chain it sends back. Normally, a TLS server does not send the trust anchor itself. This changes the error code that the OpenSSL verification fails with.

curl 8.17.0 checks the Apple SecTrust only for a specific failure code and this therefore did not happen.

I made #19638 to always ask Apple SecTrust in case of an error and when no other CA is specified via --cacert or --capath. This fixes it in my tests.