apple-sectrust: always ask when `native_ca_store` is in use

When OpenSSL fails to verify the peer certificate, we checked for
one specific reason code and did not ask Apple SecTrust for any
other failure.

Always ask Apple SecTrust after OpenSSL fails when the `native_ca_store`
is enabled. If the user configures a CAfile or CApath, the native store
is disabled, so this does not affect use cases where users asks curl
to use a specific set of trust anchors.

Do the same for GnuTLS

Fixes #19636
Reported-by: ffath-vo on github
Closes #19638

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index dbb442f363144178785d57433f3c828f48b37886..55a75fa72150b5eb24101ef234cd3697954f463b 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -1687,8 +1687,7 @@ Curl_gtls_verifyserver(struct Curl_cfilter *cf,
       infof(data, "  SSL certificate verified by GnuTLS");
 
 #ifdef USE_APPLE_SECTRUST
-    if(!verified && ssl_config->native_ca_store &&
-       (verify_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
+    if(!verified && ssl_config->native_ca_store) {
       result = glts_apple_verify(cf, data, peer, &chain, &verified);
       if(result && (result != CURLE_PEER_FAILED_VERIFICATION))
         goto out; /* unexpected error */

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 5d35ba1a153066ab7c3afaaa2927ae32e74e3944..8991d965d9becf8478e806ccf43e3564a2a3f41d 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4829,9 +4829,7 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf,
     infof(data, "SSL certificate verified via OpenSSL.");
 
 #ifdef USE_APPLE_SECTRUST
-  if(!verified &&
-     conn_config->verifypeer && ssl_config->native_ca_store &&
-     (ossl_verify == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
+  if(!verified && conn_config->verifypeer && ssl_config->native_ca_store) {
     /* we verify using Apple SecTrust *unless* OpenSSL already verified.
      * This may happen if the application intercepted the OpenSSL callback
      * and installed its own. */