From: Stefan Eissing Date: Fri, 21 Nov 2025 12:06:00 +0000 (+0100) Subject: apple-sectrust: always ask when `native_ca_store` is in use X-Git-Tag: rc-8_18_0-1~196 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6aa8fa3fdfdb1a0d4d022cc04e478f13e2b6b880;p=thirdparty%2Fcurl.git apple-sectrust: always ask when `native_ca_store` is in use When OpenSSL fails to verify the peer certificate, we checked for one specific reason code and did not ask Apple SecTrust for any other failure. Always ask Apple SecTrust after OpenSSL fails when the `native_ca_store` is enabled. If the user configures a CAfile or CApath, the native store is disabled, so this does not affect use cases where users asks curl to use a specific set of trust anchors. Do the same for GnuTLS Fixes #19636 Reported-by: ffath-vo on github Closes #19638 --- diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index dbb442f363..55a75fa721 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1687,8 +1687,7 @@ Curl_gtls_verifyserver(struct Curl_cfilter *cf, infof(data, " SSL certificate verified by GnuTLS"); #ifdef USE_APPLE_SECTRUST - if(!verified && ssl_config->native_ca_store && - (verify_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) { + if(!verified && ssl_config->native_ca_store) { result = glts_apple_verify(cf, data, peer, &chain, &verified); if(result && (result != CURLE_PEER_FAILED_VERIFICATION)) goto out; /* unexpected error */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 5d35ba1a15..8991d965d9 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -4829,9 +4829,7 @@ CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf, infof(data, "SSL certificate verified via OpenSSL."); #ifdef USE_APPLE_SECTRUST - if(!verified && - conn_config->verifypeer && ssl_config->native_ca_store && - (ossl_verify == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { + if(!verified && conn_config->verifypeer && ssl_config->native_ca_store) { /* we verify using Apple SecTrust *unless* OpenSSL already verified. * This may happen if the application intercepted the OpenSSL callback * and installed its own. */