From: Daniel McCarney <daniel@binaryparadox.net>
Date: Thu, 27 Mar 2025 12:58:12 +0000 (-0400)
Subject: docs: add rustls --ca-native & CURLSSLOPT_NATIVE_CA
X-Git-Tag: curl-8_13_0~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8836e65967cd60c30f7b5f1d39f8019756d24e70;p=thirdparty%2Fcurl.git

docs: add rustls --ca-native & CURLSSLOPT_NATIVE_CA

The one important caveat is that presently _only_ the native platform
verifier/CAs are consulted when this option is used w/ rustls.

Closes #16848
---

diff --git a/docs/cmdline-opts/ca-native.md b/docs/cmdline-opts/ca-native.md
index 1cd284902e..e81fc18f6c 100644
--- a/docs/cmdline-opts/ca-native.md
+++ b/docs/cmdline-opts/ca-native.md
@@ -32,6 +32,11 @@ Fedora, RHEL), macOS, Android and iOS. (Added in 8.3.0)
 
 This option works with GnuTLS. (Added in 8.5.0)
 
+This options works with rustls on Windows, macOS, Android and iOS. On Linux it
+is equivalent to using the Mozilla CA certificate bundle. When used with rustls
+_only_ the native CA store is consulted, not other locations set at run time or
+build time. (Added in 8.13.0)
+
 This option currently has no effect for Schannel or Secure Transport. Those are
 native TLS libraries from Microsoft and Apple, respectively, that by default
 use the native CA store for verification unless overridden by a CA certificate
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
index a9c190902f..a997a43c32 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
@@ -76,6 +76,11 @@ Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
 macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
 OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
 
+This works with rustls on Windows, macOS, Android and iOS. On Linux it is
+equivalent to using the Mozilla CA certificate bundle. When used with rustls
+_only_ the native CA store is consulted, not other locations set at run time or
+build time. (Added in 8.13.0)
+
 ## CURLSSLOPT_AUTO_CLIENT_CERT
 
 Tell libcurl to automatically locate and use a client certificate for