From fc5aed60354222bba349cce7e1b723e9e4da5ceb Mon Sep 17 00:00:00 2001
From: Brad King <brad.king@kitware.com>
Date: Sun, 9 Nov 2025 08:50:16 -0500
Subject: [PATCH] curl: Restore support for custom CApath without a default

Backport upstream curl commit `f55974c139` (vtls: fix CURLOPT_CAPATH
use, 2025-11-08).  It revises commit `eefd03c572` (ssl: support Apple
SecTrust configurations, 2025-09-24, `curl-8_17_0~443`) to accept
`CURLOPT_CAPATH` when there is no default `CURL_CA_PATH`.

CURL-Issue: https://github.com/curl/curl/issues/19401
CURL-PR: https://github.com/curl/curl/pull/19408
---
 Utilities/cmcurl/lib/vtls/vtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Utilities/cmcurl/lib/vtls/vtls.c b/Utilities/cmcurl/lib/vtls/vtls.c
index df0449cbee..a6deb6e36d 100644
--- a/Utilities/cmcurl/lib/vtls/vtls.c
+++ b/Utilities/cmcurl/lib/vtls/vtls.c
@@ -310,7 +310,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
       if(result)
         return result;
     }
-    sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
 #endif
 #ifdef CURL_CA_BUNDLE
     if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE]) {
@@ -322,6 +321,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
   }
   sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE];
   sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+  sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
   sslc->primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
   sslc->primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
   sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
@@ -358,7 +358,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
       if(result)
         return result;
     }
-    sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
 #endif
 #ifdef CURL_CA_BUNDLE
     if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) {
@@ -370,6 +369,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
 #endif
   }
   sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
+  sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
   sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
   sslc->primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
   sslc->primary.pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];