From c94641b894f920e78a7f8d03c7a2d21972888005 Mon Sep 17 00:00:00 2001
From: Ayesh Karunaratne <ayesh@aye.sh>
Date: Tue, 12 Mar 2024 22:38:21 +0700
Subject: [PATCH 1/2] ext/curl: Use default native CA

---
 ext/curl/interface.c               |  9 ++++++++
 ext/curl/tests/curl_native_ca.phpt | 35 ++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 ext/curl/tests/curl_native_ca.phpt

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 60481947ddde..66028aaf8284 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1199,6 +1199,15 @@ static void _php_curl_set_default_options(php_curl *ch)
 	if (cainfo && cainfo[0] != '\0') {
 		curl_easy_setopt(ch->cp, CURLOPT_CAINFO, cainfo);
 	}
+#if LIBCURL_VERSION_NUM >= 0x075400 /* Available since 7.71.0 */
+	/* Curl supports falling back to the native/OS root certificates
+	 * if cainfo is not provided. When the php.ini cainfo is empty,
+	 * setting CURLSSLOPT_NATIVE_CA enables this behavior.
+	 */
+	else {
+		curl_easy_setopt(ch->cp, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA);
+	}
+#endif
 
 #ifdef ZTS
 	curl_easy_setopt(ch->cp, CURLOPT_NOSIGNAL, 1);
diff --git a/ext/curl/tests/curl_native_ca.phpt b/ext/curl/tests/curl_native_ca.phpt
new file mode 100644
index 000000000000..a05168d12f75
--- /dev/null
+++ b/ext/curl/tests/curl_native_ca.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Curl defaulting to default CA root store, especially in Windows
+--EXTENSIONS--
+curl
+--DESCRIPTION--
+On Windows, there is no fallback root CA store, so all HTTPS requests that require validation (default)
+fail by default. Curl >= 7.71.0 has a CURLOPT_SSL_OPTIONS = CURLSSLOPT_NATIVE_CA option that falls back
+to Windows root CA store.
+--SKIPIF--
+<?php
+if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x074700) {
+    die("skip: test works only with curl >= 7.71.0");
+}
+?>
+--INI--
+
+--FILE--
+<?php
+    $ch = curl_init('https://sha256.badssl.com/');
+    $cert = curl_getinfo($ch, CURLINFO_CAINFO);
+    var_dump($cert);
+    curl_setopt_array($ch, [
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_SSL_VERIFYHOST => 2,
+        CURLOPT_SSL_VERIFYPEER => 1,
+    ]);
+
+    curl_exec($ch);
+    var_dump(curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT));
+
+?>
+--EXPECT--
+int(0)

From 781d8d5c22736c63f29e385732432d416f33d43d Mon Sep 17 00:00:00 2001
From: Ayesh Karunaratne <ayesh@aye.sh>
Date: Tue, 12 Mar 2024 23:25:17 +0700
Subject: [PATCH 2/2] ft

---
 ext/curl/tests/curl_native_ca.phpt | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/ext/curl/tests/curl_native_ca.phpt b/ext/curl/tests/curl_native_ca.phpt
index a05168d12f75..6bb62d1d2862 100644
--- a/ext/curl/tests/curl_native_ca.phpt
+++ b/ext/curl/tests/curl_native_ca.phpt
@@ -8,28 +8,36 @@ fail by default. Curl >= 7.71.0 has a CURLOPT_SSL_OPTIONS = CURLSSLOPT_NATIVE_CA
 to Windows root CA store.
 --SKIPIF--
 <?php
-if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
-$curl_version = curl_version();
-if ($curl_version['version_number'] < 0x074700) {
-    die("skip: test works only with curl >= 7.71.0");
+
+// if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
+
+if (curl_version()['version_number'] < 0x074700) {
+//    die("skip: test works only with curl >= 7.71.0");
 }
-?>
---INI--
 
+?>
 --FILE--
 <?php
     $ch = curl_init('https://sha256.badssl.com/');
+    var_dump(__LINE__);
     $cert = curl_getinfo($ch, CURLINFO_CAINFO);
     var_dump($cert);
+    var_dump(__LINE__);
     curl_setopt_array($ch, [
         CURLOPT_RETURNTRANSFER => true,
         CURLOPT_SSL_VERIFYHOST => 2,
         CURLOPT_SSL_VERIFYPEER => 1,
     ]);
 
+    var_dump(__LINE__);
     curl_exec($ch);
+    var_dump(__LINE__);
     var_dump(curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT));
-
+    var_dump(__LINE__);
+    var_dump(ini_get('curl.cainfo'));
+    var_dump(__LINE__);
+    var_dump(curl_version());
 ?>
 --EXPECT--
 int(0)
+dsdsad