apple-sectrust: always ask when `native_ca_store` is in use
When OpenSSL fails to verify the peer certificate, we checked for
one specific reason code and did not ask Apple SecTrust for any
other failure.
Always ask Apple SecTrust after OpenSSL fails when the `native_ca_store`
is enabled. If the user configures a CAfile or CApath, the native store
is disabled, so this does not affect use cases where users asks curl
to use a specific set of trust anchors.
Do the same for GnuTLS
Fixes #19636
Reported-by: ffath-vo on github
Closes #19638
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index dbb442f..55a75fa 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -1687,8 +1687,7 @@
infof(data, " SSL certificate verified by GnuTLS");
#ifdef USE_APPLE_SECTRUST
- if(!verified && ssl_config->native_ca_store &&
- (verify_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
+ if(!verified && ssl_config->native_ca_store) {
result = glts_apple_verify(cf, data, peer, &chain, &verified);
if(result && (result != CURLE_PEER_FAILED_VERIFICATION))
goto out; /* unexpected error */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 5d35ba1..8991d96 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4829,9 +4829,7 @@
infof(data, "SSL certificate verified via OpenSSL.");
#ifdef USE_APPLE_SECTRUST
- if(!verified &&
- conn_config->verifypeer && ssl_config->native_ca_store &&
- (ossl_verify == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
+ if(!verified && conn_config->verifypeer && ssl_config->native_ca_store) {
/* we verify using Apple SecTrust *unless* OpenSSL already verified.
* This may happen if the application intercepted the OpenSSL callback
* and installed its own. */
