I did run tests locally, but it seems like the test did not run locally due to stunnel not being installed on my system.
(Side note: that test also never failed on CI test builds, are tests only ran with a single backend or why was it never caught during the PR?)

I had a look into the failing test, the problem is that mbedtls_x509_crt_parse of mbedTLS requires the terminating null-byte to be part of the data, while the passed length does not include the null-byte.

buflen | The size of buf, including the terminating NULL byte in case of PEM encoded data.
(see https://tls.mbed.org/api/group__x509__module.html#ga033567483649030f7f859db4f4cb7e14)

CURLOPT_SSLCERT_BLOB support was already added before my PR, so I had a look how this discrepancy was dealt with there, but it seems like it was not handled either. No tests seem to exist for this API, so I assume the same issue happens there, but was just never detected.

There are some issues about this null-termination requirement for mbedTLS:

• Report of mbedtls_x509_crt_parse and mbedtls_pk_parse_key are broken Mbed-TLS/mbedtls#222
• PEM parsing functions expect the last byte of the buffer to be 0 Mbed-TLS/mbedtls#3896

Since CURLOPT_CAINFO_BLOB only supports PEM format certs, an easy fix would be to simply append the buffer with a null byte and increment the buffer length before calling mbedtls_x509_crt_parse.

@bagder What do you think about the proposed fix? If that seems fine then I'll work on creating PR for it.

It didn't show up in the CI builds because of the #7522, a bug in the zuul CI which hides most of its runs from github! 😢

Your proposed fix sounds perfectly fine!