http3: certificate lookup error

[Izorkin]

After upgrading curl from version 7.80 to 7.81 http3 connections stopped working.
Error:

curl --head --http3 -v https://cloudflare.com
*   Trying 2606:4700::6810:84e5:443...
* Connect socket 5 over QUIC to 2606:4700::6810:84e5:443
* error setting certificate verify locations:  CAfile: none CApath: none
*   Trying 2606:4700::6810:85e5:443...
* Connect socket 6 over QUIC to 2606:4700::6810:85e5:443
* error setting certificate verify locations:  CAfile: none CApath: none
*   Trying 104.16.133.229:443...
* Connect socket 0 over QUIC to 104.16.133.229:443
* error setting certificate verify locations:  CAfile: none CApath: none
*   Trying 104.16.132.229:443...
* Connect socket 7 over QUIC to 104.16.132.229:443
* error setting certificate verify locations:  CAfile: none CApath: none
* Closing connection 0
curl: (96) error setting certificate verify locations:  CAfile: none CApath: none

Probably stopped working after this commit - c148f0f

Configure flags:

--without-ca-bundle 
--without-ca-path 
--with-ca-fallback 

On http2 protocol working:

*   Trying 2606:4700::6810:84e5:443...
* Connected to cloudflare.com (2606:4700::6810:84e5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
*  start date: Jun  4 00:00:00 2021 GMT
*  expire date: Jun  3 23:59:59 2022 GMT
*  subjectAltName: host "cloudflare.com" matched cert's "cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
...

When using the HTTP2 protocol, the certificate is searched through the SSL library. When using the HTTP3 protocol, the certificate search is not performed.

curl/libcurl version

[curl -V output]
curl 7.82.0 (x86_64-pc-linux-gnu) libcurl/7.82.0 OpenSSL/3.0.2 zlib/1.2.12 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.47.0 ngtcp2/0.4.0-DEV nghttp3/0.4.0-DEV
Release-Date: 2022-03-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets zstd

operating system

NixOS 22.05 Unstable.

[bagder]

Seems correct, configure --with-ca-fallback is not supported by h3 (yet).