openssl: Don't ignore CA paths when using Windows CA store (redux) #10244
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please also document this. |
jay
force-pushed
the
openssl_native_ca_restore
branch
from
7c50470
to
ae316ef
Compare
|
Shall we remove the experimental flag as part of this patch? |
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it two months ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes #xxxx
jay
force-pushed
the
openssl_native_ca_restore
branch
from
ae316ef
to
caaf01a
Compare
I only see an experimental marking in EXPERIMENTAL.md so I removed it from that. Let me know if that is what you meant because I can't find anything else that designates it as experimental. |
|
Thanks. I meant the wording in the documentation for this field "This option is experimental and behavior is subject to change." but I see you already fixed this! |
bch
pushed a commit
to bch/curl
that referenced
this pull request
Jul 19, 2023
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA. This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the native Windows CA store can be used at the same time. --- This behavior was originally added over two years ago in abbc5d6 (curl#5585) but then 83393b1 (curl#7892) broke it over a year ago, I assume inadvertently. The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely rarely used. Ref: curl#5585 Ref: curl#7892 Ref: https://curl.se/mail/lib-2023-01/0019.html Closes curl#10244
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default locations. Instead the CA store can be used at the same time.
This behavior was originally added over two years ago in abbc5d6 (#5585) but then 83393b1 (#7892) broke it
two months agoa year ago, I assume inadvertently.The CURLSSLOPT_NATIVE_CA feature is marked experimental and likely rarely used.
Ref: #5585
Ref: #7892
Ref: https://curl.se/mail/lib-2023-01/0019.html
Closes #xxxx
Tested with CURLOPT_CAINFO not set and CURLSSLOPT_NATIVE_CA set; self-signed CA in MS root store; verified successfully.
Tested with CURLOPT_CAINFO set to curl default CA bundle and CURLSSLOPT_NATIVE_CA set; self-signed CA in MS root store; verified successfully.
Tested with CURLOPT_CAINFO set to self-signed CA and CURLSSLOPT_NATIVE_CA set; same self-signed CA not in MS root store; verified successfully.
Tested with CURLOPT_CAINFO set to self-signed CA and CURLSSLOPT_NATIVE_CA set; same self-signed CA in MS root store; verified successfully.