From "curl: add --ca-native and --proxy-ca-native" https://github.com/curl/curl/pull/11049#issuecomment-1528118... :

> It looks like according to their CHANGES for OpenSSL 3.1 they've added SSL_CERT_URI and for OpenSSL 3.2 they've added SSL_CERT_PATH and are going to deprecate SSL_CERT_DIR (which could do both but had some parsing problem, still I don't get why they would deprecate it for paths). [...]

> curl reads SSL_CERT_DIR (note it's ignored for [Schannel,]) and sets that as the path. I don't know if OpenSSL is now reading the environment itself but the URI is org.openssl.winstore:// not capieng. If you have a master build then try SSL_CERT_URI=org.openssl.winstore:// curl ... and if that doesn't work try curl --capath "org.openssl.winstore://" ...

"OpenSSL Announces Final Release of OpenSSL 3.2.0" https://news.ycombinator.com/item?id=38392887 https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.m... :

> Support for using the Windows system certificate store as a source of trusted root certificates

> This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release

openssl/openssl > "Add support for Windows CA certificate store" https://github.com/openssl/openssl/pull/18070/files

How should OS System Cert Store(s) be supported on Linux platforms with OpenSSL and e.g. Curl?

PEP-0543 had TLSConfiguration(..., trust_store=DEFAULT:TrustStore) https://peps.python.org/pep-0543/

class TrustStore() https://peps.python.org/pep-0543/#trust-store

And a CipherSuite() class with params and a heading for each of a number of cipher suites; OpenSSL (*), SecureTransport (MacOS,), SChannel (Windows), NSS (Firefox,); tlsdb https://peps.python.org/pep-0543/#cipher-suites

Curl 8_2_0 release: https://github.com/curl/curl/releases/tag/curl-8_2_0

Curl 8.2.0 changes.html: https://curl.se/changes.html#8_2_0