Change #255462
| Category | None |
| Changed by | Viktor Szakats <commit@vsz.me> |
| Changed at | Sat 17 Jan 2026 19:18:52 |
| Repository | https://api.github.com/repos/curl/curl |
| Project | curl/curl |
| Branch | master |
| Revision | 1730407b74f41cfd33f189348be54d0504b7c291 |
Comments
windows: add build option to use the native CA store With the same semantics as Apple SecTrust, in both libcurl and the curl tool, when using non-Schannel TLS backends. In practice it means that it makes TLS work without manually or implicitly configuring a CA bundle `.crt` file, such as `curl-ca-bundle.crt`. To enable: - autotools: `--enable-ca-native` - cmake: `-DCURL_CA_NATIVE=ON` - CPPFLAGS: `-DCURL_CA_NATIVE` When enabled: - enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native` and `--proxy-ca-native` (curl tool) options by default. - unsafe search for an on-disk CA bundle gets disabled by default. Equivalent to `--disable-ca-search` with autotools, `-DCURL_DISABLE_CA_SEARCH=ON` with CMake. - build-time detection of CA bundle and CA path gets disabled. As with Apple SecTrust. This was already the default for Windows. - native CA can be disabled at run-time with the `--no-ca-native` and/or `--no-proxy-ca-native` command-line options. Rationale: This build option: - has a repeat and active interest from packagers and users. - helps integrating curl with Windows for those who need this. - it also applies to macOS: #17525 Shipped in curl 8.17.0. - makes it trivial to use custom certs configured on the OS. - frees applications/packagers/users from the task of securely distributing, and keeping up-to-date, a CA bundle. - frees potentially many curl tool from configuring a CA bundle manually to access HTTPS (and other TLS) URLs. This is traditionally difficult on Windows because there is no concept of a universal, protected, non-world-writable, location on the file system to securely store a CA bundle. - allows using modern features regardless of Windows version. Some of these features are not supported with Schannel (e.g. HTTP/3, ECH) on any Windows version. - is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not possible with Schannel, because MultiSSL is not an option, and HTTP/3 is not supported with Schannel. Ref: #16181 (previous attempt) Ref: https://github.com/curl/curl/discussions/9348 Ref: https://github.com/curl/curl/issues/9350 Ref: https://github.com/curl/curl/pull/13111 Ref: https://github.com/microsoft/vcpkg/pull/46459#issuecomment-3162068701 Ref: 22652a5a4cb6a4cc1c0f4ff3ebc4f9768f6663cd #14582 Ref: eefd03c572996e5de4dec4fe295ad6f103e0eefc #18703 Closes #18279
Changed files
- .github/workflows/windows.yml
- CMakeLists.txt
- acinclude.m4
- configure.ac
- docs/INSTALL-CMAKE.md
- docs/libcurl/curl_version_info.md
- lib/curl_config-cmake.h.in
- lib/version.c
- lib/vtls/vtls.c