From 52c1dbc1aad67d410145f32031bb95d9433898a5 Mon Sep 17 00:00:00 2001
From: Ayesh Karunaratne <ayesh@aye.sh>
Date: Tue, 12 Mar 2024 22:38:21 +0700
Subject: [PATCH 1/3] ext/curl: Use default native CA

---
 ext/curl/tests/curl_native_ca.phpt | 35 ++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 ext/curl/tests/curl_native_ca.phpt

diff --git a/ext/curl/tests/curl_native_ca.phpt b/ext/curl/tests/curl_native_ca.phpt
new file mode 100644
index 0000000000000..a05168d12f752
--- /dev/null
+++ b/ext/curl/tests/curl_native_ca.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Curl defaulting to default CA root store, especially in Windows
+--EXTENSIONS--
+curl
+--DESCRIPTION--
+On Windows, there is no fallback root CA store, so all HTTPS requests that require validation (default)
+fail by default. Curl >= 7.71.0 has a CURLOPT_SSL_OPTIONS = CURLSSLOPT_NATIVE_CA option that falls back
+to Windows root CA store.
+--SKIPIF--
+<?php
+if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x074700) {
+    die("skip: test works only with curl >= 7.71.0");
+}
+?>
+--INI--
+
+--FILE--
+<?php
+    $ch = curl_init('https://sha256.badssl.com/');
+    $cert = curl_getinfo($ch, CURLINFO_CAINFO);
+    var_dump($cert);
+    curl_setopt_array($ch, [
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_SSL_VERIFYHOST => 2,
+        CURLOPT_SSL_VERIFYPEER => 1,
+    ]);
+
+    curl_exec($ch);
+    var_dump(curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT));
+
+?>
+--EXPECT--
+int(0)

From 46939bbf8d4ae16b87b1ae9b6d36daa57c1a521a Mon Sep 17 00:00:00 2001
From: Ayesh Karunaratne <ayesh@aye.sh>
Date: Tue, 12 Mar 2024 23:25:17 +0700
Subject: [PATCH 2/3] ft

---
 ext/curl/tests/curl_native_ca.phpt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ext/curl/tests/curl_native_ca.phpt b/ext/curl/tests/curl_native_ca.phpt
index a05168d12f752..084eaa0793c18 100644
--- a/ext/curl/tests/curl_native_ca.phpt
+++ b/ext/curl/tests/curl_native_ca.phpt
@@ -29,7 +29,8 @@ if ($curl_version['version_number'] < 0x074700) {
 
     curl_exec($ch);
     var_dump(curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT));
-
+    var_dump(ini_get('curl.cainfo'));
 ?>
 --EXPECT--
 int(0)
+dsdsad

From d24524b4cb652978d5562e36550e3a88cb412ee6 Mon Sep 17 00:00:00 2001
From: Ayesh Karunaratne <ayesh@aye.sh>
Date: Tue, 12 Mar 2024 23:43:39 +0700
Subject: [PATCH 3/3] t

---
 ext/curl/tests/curl_native_ca.phpt | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/ext/curl/tests/curl_native_ca.phpt b/ext/curl/tests/curl_native_ca.phpt
index 084eaa0793c18..6bb62d1d2862b 100644
--- a/ext/curl/tests/curl_native_ca.phpt
+++ b/ext/curl/tests/curl_native_ca.phpt
@@ -8,28 +8,35 @@ fail by default. Curl >= 7.71.0 has a CURLOPT_SSL_OPTIONS = CURLSSLOPT_NATIVE_CA
 to Windows root CA store.
 --SKIPIF--
 <?php
-if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
-$curl_version = curl_version();
-if ($curl_version['version_number'] < 0x074700) {
-    die("skip: test works only with curl >= 7.71.0");
+
+// if (getenv("SKIP_ONLINE_TESTS")) die("skip online test");
+
+if (curl_version()['version_number'] < 0x074700) {
+//    die("skip: test works only with curl >= 7.71.0");
 }
-?>
---INI--
 
+?>
 --FILE--
 <?php
     $ch = curl_init('https://sha256.badssl.com/');
+    var_dump(__LINE__);
     $cert = curl_getinfo($ch, CURLINFO_CAINFO);
     var_dump($cert);
+    var_dump(__LINE__);
     curl_setopt_array($ch, [
         CURLOPT_RETURNTRANSFER => true,
         CURLOPT_SSL_VERIFYHOST => 2,
         CURLOPT_SSL_VERIFYPEER => 1,
     ]);
 
+    var_dump(__LINE__);
     curl_exec($ch);
+    var_dump(__LINE__);
     var_dump(curl_getinfo($ch, CURLINFO_SSL_VERIFYRESULT));
+    var_dump(__LINE__);
     var_dump(ini_get('curl.cainfo'));
+    var_dump(__LINE__);
+    var_dump(curl_version());
 ?>
 --EXPECT--
 int(0)