cmCurl: Honor OpenSSL certificate environment variables

Honor the OpenSSL environment variables used to specify the location of
the TLS certificates, as specified in the `curl(1)` man page.

Co-authored-by: Ludovic Courtès <[email protected]>

Help/envvar/SSL_CERT_DIR.rst

@@ -0,0 +1,9 @@
+SSL_CERT_DIR
+------------
+
+.. versionadded:: 3.25
+
+.. include:: ENV_VAR.txt
+
+Specify default directory containing CA certificates.  It overrides
+the default CA directory used.

Help/envvar/SSL_CERT_FILE.rst

@@ -0,0 +1,9 @@
+SSL_CERT_FILE
+-------------
+
+.. versionadded:: 3.25
+
+.. include:: ENV_VAR.txt
+
+Specify the file name containing CA certificates.  It overrides the
+default, os-specific CA file used.

Help/manual/cmake-env-variables.7.rst

@@ -21,6 +21,8 @@ Environment Variables that Change Behavior
    :maxdepth: 1
 
    /envvar/CMAKE_PREFIX_PATH
+   /envvar/SSL_CERT_DIR
+   /envvar/SSL_CERT_FILE
 
 Environment Variables that Control the Build
 ============================================

Help/release/dev/env-tls-certs.rst

@@ -0,0 +1,6 @@
+env-tls-certs
+-------------
+
+* The :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_DIR` environment
+  variables are now used to find certificate authorities for TLS/SSL
+  operations.

Source/cmCurl.cxx

@@ -34,10 +34,21 @@
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile)
 {
   std::string e;
+  std::string env_ca;
   if (!cafile.empty()) {
     ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile.c_str());
     check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
   }
+  /* Honor the user-configurable OpenSSL environment variables. */
+  else if (cmSystemTools::GetEnv("SSL_CERT_FILE", env_ca) &&
+           cmSystemTools::FileExists(env_ca, true)) {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, env_ca.c_str());
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+  } else if (cmSystemTools::GetEnv("SSL_CERT_DIR", env_ca) &&
+             cmSystemTools::FileIsDirectory(env_ca)) {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAPATH, env_ca.c_str());
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+  }
 #ifdef CMAKE_FIND_CAFILE
 #  define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
   else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {