curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Is CURLSSLOPT_NATIVE_CA still experimental?

From: Jeroen Ooms via curl-library <>
Date: Thu, 5 Jan 2023 16:08:46 +0100


I maintain the R bindings, which are used by a lot of Windows users
inside corporate/academic networks.

A few years ago, we switched the default-ssl-backend on Windows from
openssl to schannel. The main motivation was that many corporate
networks use custom SSL certificates which are stored in the windows
cert store. By switching to schannel, curl would be able to use these
certs and we would not have to ship a custom ca-bundle with the
bindings which always was a pain.

It has worked well, but now I am not considering switching back to
openssl and enable CURLSSLOPT_NATIVE_CA by default. The reason this
time is that users want to use nghttp2 and that openssl seems more
robust than schannel for servers that behave unexpectedly (which sadly
is common in our field).

However the documentation says CURLSSLOPT_NATIVE_CA (introduced in
7.71.0) is experimental and subject to change. Is it safe to use at
this point? I tried running our tests on a few machines (vista, win-7,
win-10, and some GHA runners) and it all seems to work. Has anyone
experienced issues with it, or is aware of edge-cases that I should be
aware of?


Received on 2023-01-05