openssl: Don't ignore CA paths when using Windows CA store (redux) #10244
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can be used at the same time.
This behavior was originally added over two years ago in abbc5d6 (#5585) but then 83393b1 (#7892) broke it
two months agoa year ago, I assume inadvertently.The CURLSSLOPT_NATIVE_CA feature is marked experimental and likely rarely used.
Ref: #5585
Ref: #7892
Ref: https://curl.se/mail/lib-2023-01/0019.html
Closes #xxxx
Tested with CURLOPT_CAINFO not set and CURLSSLOPT_NATIVE_CA set; self-signed CA in MS root store; verified successfully.
Tested with CURLOPT_CAINFO set to curl default CA bundle and CURLSSLOPT_NATIVE_CA set; self-signed CA in MS root store; verified successfully.
Tested with CURLOPT_CAINFO set to self-signed CA and CURLSSLOPT_NATIVE_CA set; same self-signed CA not in MS root store; verified successfully.
Tested with CURLOPT_CAINFO set to self-signed CA and CURLSSLOPT_NATIVE_CA set; same self-signed CA in MS root store; verified successfully.