From: Jay Satiro Date: Mon, 17 Feb 2025 21:31:48 +0000 (-0500) Subject: ca-native.md: sync with CURLSSLOPT_NATIVE_CA X-Git-Tag: curl-8_13_0~425 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2335cbaa217af072b58b87911191acac8dbc7092;p=thirdparty%2Fcurl.git ca-native.md: sync with CURLSSLOPT_NATIVE_CA - Add that the native CA store is used to verify certs in addition to the other certificate location settings. Basically clarify that --ca-native does not override --cacert etc. Prior to this change that behavior was only documented in CURLSSLOPT_NATIVE_CA which is what --ca-native maps to. Ref: https://github.com/curl/curl/pull/16181#issuecomment-2663998865 Closes https://github.com/curl/curl/pull/16373 --- diff --git a/docs/cmdline-opts/ca-native.md b/docs/cmdline-opts/ca-native.md index 3d773a8c45..1cd284902e 100644 --- a/docs/cmdline-opts/ca-native.md +++ b/docs/cmdline-opts/ca-native.md @@ -12,18 +12,27 @@ See-also: - capath - dump-ca-embed - insecure + - proxy-ca-native Example: - --ca-native $URL --- # `--ca-native` -Use the CA store from the native operating system to verify the peer. By -default, curl otherwise uses a CA store provided in a single file or -directory, but when using this option it interfaces the operating system's own -vault. +Use the operating system's native CA store for certificate verification. -This option works for curl on Windows when built to use OpenSSL, wolfSSL -(added in 8.3.0) or GnuTLS (added in 8.5.0). When curl on Windows is built to -use Schannel, this feature is implied and curl then only uses the native CA -store. +This option is independent of other CA certificate locations set at run time or +build time. Those locations are searched in addition to the native CA store. + +This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on +Windows. (Added in 7.71.0) + +This option works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, +Fedora, RHEL), macOS, Android and iOS. (Added in 8.3.0) + +This option works with GnuTLS. (Added in 8.5.0) + +This option currently has no effect for Schannel or Secure Transport. Those are +native TLS libraries from Microsoft and Apple, respectively, that by default +use the native CA store for verification unless overridden by a CA certificate +location setting. diff --git a/docs/cmdline-opts/proxy-ca-native.md b/docs/cmdline-opts/proxy-ca-native.md index e84dbd9601..0252e993fc 100644 --- a/docs/cmdline-opts/proxy-ca-native.md +++ b/docs/cmdline-opts/proxy-ca-native.md @@ -8,6 +8,7 @@ Category: tls Added: 8.2.0 Multi: boolean See-also: + - ca-native - cacert - capath - dump-ca-embed @@ -18,11 +19,12 @@ Example: # `--proxy-ca-native` -Use the CA store from the native operating system to verify the HTTPS proxy. -By default, curl uses a CA store provided in a single file or directory, but -when using this option it interfaces the operating system's own vault. +Use the operating system's native CA store for certificate verification of the +HTTPS proxy. -This option works for curl on Windows when built to use OpenSSL, wolfSSL -(added in 8.3.0) or GnuTLS (added in 8.5.0). When curl on Windows is built to -use Schannel, this feature is implied and curl then only uses the native CA -store. +This option is independent of other HTTPS proxy CA certificate locations set at +run time or build time. Those locations are searched in addition to the native +CA store. + +Equivalent to --ca-native but used in HTTPS proxy context. Refer to --ca-native +for TLS backend limitations. diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md index a96b722eb2..0a0681e21d 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md @@ -70,13 +70,13 @@ precedence. (Added in 7.70.0) ## CURLSSLOPT_NATIVE_CA Tell libcurl to use the operating system's native CA store for certificate -verification. If you set this option and also set a CA certificate file or -directory then during verification those certificates are searched in addition -to the native CA store. +verification. This option is independent of other CA certificate locations set +at run time or build time. Those locations are searched in addition to the +native CA store. Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), -macOS, Android and iOS (added in 8.3.0), with GnuTLS (added in 8.5.0) or on -Windows when built to use OpenSSL (Added in 7.71.0). +macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with +OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0). ## CURLSSLOPT_AUTO_CLIENT_CERT diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md index 014c2c2c26..c0d309e20b 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md +++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md @@ -68,13 +68,13 @@ precedence. (Added in 7.70.0) ## CURLSSLOPT_NATIVE_CA Tell libcurl to use the operating system's native CA store for certificate -verification. If you set this option and also set a CA certificate file or -directory then during verification those certificates are searched in addition -to the native CA store. +verification. This option is independent of other CA certificate locations set +at run time or build time. Those locations are searched in addition to the +native CA store. Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL), -macOS, Android and iOS (added in 8.3.0), with GnuTLS (added in 8.5.0) or on -Windows when built to use OpenSSL (Added in 7.71.0). +macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with +OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0). ## CURLSSLOPT_AUTO_CLIENT_CERT