cmCurl: Honor OpenSSL certificate environment variables

Honor the OpenSSL environment variables used to specify the location of
the TLS certificates, as specified in the `curl(1)` man page.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>

5 files changed, 37 insertions, 0 deletions

diff --git a/Help/envvar/SSL_CERT_DIR.rst b/Help/envvar/SSL_CERT_DIR.rst
new file mode 100644
index 0000000..1e678e4
--- /dev/null
+++ b/Help/envvar/SSL_CERT_DIR.rst
@@ -0,0 +1,9 @@
+SSL_CERT_DIR
+------------
+
+.. versionadded:: 3.25
+
+.. include:: ENV_VAR.txt
+
+Specify default directory containing CA certificates.  It overrides
+the default CA directory used.
diff --git a/Help/envvar/SSL_CERT_FILE.rst b/Help/envvar/SSL_CERT_FILE.rst
new file mode 100644
index 0000000..23216c0
--- /dev/null
+++ b/Help/envvar/SSL_CERT_FILE.rst
@@ -0,0 +1,9 @@
+SSL_CERT_FILE
+-------------
+
+.. versionadded:: 3.25
+
+.. include:: ENV_VAR.txt
+
+Specify the file name containing CA certificates.  It overrides the
+default, os-specific CA file used.
diff --git a/Help/manual/cmake-env-variables.7.rst b/Help/manual/cmake-env-variables.7.rst
index 737b22c..50fcf75 100644
--- a/Help/manual/cmake-env-variables.7.rst
+++ b/Help/manual/cmake-env-variables.7.rst
@@ -21,6 +21,8 @@ Environment Variables that Change Behavior
    :maxdepth: 1
 
    /envvar/CMAKE_PREFIX_PATH
+   /envvar/SSL_CERT_DIR
+   /envvar/SSL_CERT_FILE
 
 Environment Variables that Control the Build
 ============================================
diff --git a/Help/release/dev/env-tls-certs.rst b/Help/release/dev/env-tls-certs.rst
new file mode 100644
index 0000000..4afadb4
--- /dev/null
+++ b/Help/release/dev/env-tls-certs.rst
@@ -0,0 +1,6 @@
+env-tls-certs
+-------------
+
+* The :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_DIR` environment
+  variables are now used to find certificate authorities for TLS/SSL
+  operations.
diff --git a/Source/cmCurl.cxx b/Source/cmCurl.cxx
index 28ee24d..fd6aee1 100644
--- a/Source/cmCurl.cxx
+++ b/Source/cmCurl.cxx
@@ -34,10 +34,21 @@
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile)
 {
   std::string e;
+  std::string env_ca;
   if (!cafile.empty()) {
     ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile.c_str());
     check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
   }
+  /* Honor the user-configurable OpenSSL environment variables. */
+  else if (cmSystemTools::GetEnv("SSL_CERT_FILE", env_ca) &&
+           cmSystemTools::FileExists(env_ca, true)) {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, env_ca.c_str());
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+  } else if (cmSystemTools::GetEnv("SSL_CERT_DIR", env_ca) &&
+             cmSystemTools::FileIsDirectory(env_ca)) {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAPATH, env_ca.c_str());
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+  }
 #ifdef CMAKE_FIND_CAFILE
 #  define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
   else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {