ext/curl: Use default native CA

Ayesh · Ayesh · commit c94641b894f9 · 2024-03-12T22:46:03.000+07:00
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
@@ -1199,6 +1199,15 @@ static void _php_curl_set_default_options(php_curl *ch)
 	if (cainfo && cainfo[0] != '\0') {
 		curl_easy_setopt(ch->cp, CURLOPT_CAINFO, cainfo);
 	}
+#if LIBCURL_VERSION_NUM >= 0x075400 /* Available since 7.71.0 */
+	/* Curl supports falling back to the native/OS root certificates
+	 * if cainfo is not provided. When the php.ini cainfo is empty,
+	 * setting CURLSSLOPT_NATIVE_CA enables this behavior.
+	 */
+	else {
+		curl_easy_setopt(ch->cp, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA);
+	}
+#endif
 
 #ifdef ZTS
 	curl_easy_setopt(ch->cp, CURLOPT_NOSIGNAL, 1);
diff --git a/ext/curl/tests/curl_native_ca.phpt b/ext/curl/tests/curl_native_ca.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Curl defaulting to default CA root store, especially in Windows
+--EXTENSIONS--
+curl
+--DESCRIPTION--
+On Windows, there is no fallback root CA store, so all HTTPS requests that require validation (default)
+fail by default. Curl >= 7.71.0 has a CURLOPT_SSL_OPTIONS = CURLSSLOPT_NATIVE_CA option that falls back
+to Windows root CA store.
+--SKIPIF--
+<?php
+if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x074700) {
+    die("skip: test works only with curl >= 7.71.0");
+}
+?>
+--INI--
+
+--FILE--
+<?php
+    $ch = curl_init('https://sha256.badssl.com/');
+    $cert = curl_getinfo($ch, CURLINFO_CAINFO);
+    var_dump($cert);
+    curl_setopt_array($ch, [
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_SSL_VERIFYHOST => 2,
+        CURLOPT_SSL_VERIFYPEER => 1,
+    ]);
+
+    curl_exec($ch);
+    var_dump(curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT));
+
+?>
+--EXPECT--
+int(0)
