On Tue, 17 Oct 2023, Jeroen Ooms wrote:
To me the situation seems a bit less edge-case than you portray it; on a lot of systems there may not be a CA pem bundle, hence using the system certs seems like a sensible default to build a portable (lib)curl. But I see the backward-compatibility issue, so we can just set patch this in our build, no problem at all.
Switching beween a CA cert bundle and the system CA store is something that shouldn't be treated or done lightly.
HTTPS and TLS are based on trust. The bundle lists the CAs you trust. If you use curl with a CA bundle, that bundle contains the CAs you trust. To some level and extent. Sure, most people won't care or know or meddle with that, but some will. That's what the CA bundle allows.
Changing this trust source from the bundle to the system CA store without the user consent is dangerous and will likely in some cases suddenly make transfers go through that otherwise would be rejected. Or vice versa. Contrary to what the user wants.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
