Add additional stub functions for newer curl builds

[brian-pane]

No description provided.

[brian-pane]

This is a work in progress; I'm posting it now to get some feedback on whether my approach makes sense.

While testing on Ubuntu-25.10 for aarch64, I found that the included curl build (8.14.1) depended on some symbols not yet implemented in rustls-openssl-compat. This PR tries to add stubs for them.

With this patch, curl is able to load the libssl.so, but SSL_connect fails when trying to verify the server's cert because "X509_STORE has no cached certificates." I need to debug that part further.

[djc]

Thanks for working on this!

With this patch, curl is able to load the libssl.so, but SSL_connect fails when trying to verify the server's cert because "X509_STORE has no cached certificates." I need to debug that part further.

Going to keep this PR as draft while this is in progress.

[brian-pane]

Here's what I've found by tracing through the curl and OpenSSL code:

1. Curl calls SSL_CTX_get_cert_store (provided by rustls-openssl-compat) to get the initialized X509_STORE.

2. Depending on compilation options, curl then calls X509_STORE_load_file(store, ssl_cafile) or X509_STORE_load_locations(store, ssl_cafile, ssl_capath). Either way, we end up in the libcrypto functionX509_STORE_add_lookup, which registers a callback in the X509_STORE.

3. Later, after rustls begins the handshake and receives the ServerHello, we reach the rustls-openssl-compat function ServerVerifier::verify_server_cert_inner, which calls OwnedX509Store::to_root_store. This calls the libcrypto function X509_STORE_get1_all_certs to retrieve the certs from the X509_STORE, which returns an empty list.

@djc any recommendations? Should I try to extend OwnedX509Store::to_root_store to invoke the callbacks registered by X509_STORE_add_lookup?

[ctz]

Unfortunately I think this is another instance of #17

[brian-pane]

#17 notes a range of options, from using libcrypto's verifier to sticking with the rustls verifier and fetching updates from the X509_STORE struct on each use (which in this case would mean either calling the registered callbacks from rustls-openssl-compat directly or calling libcrypto's one API function that invokes the callbacks internally, ossl_x509_store_ctx_get_by_subject).

Have you decided on which option to pursue; and if so, would it make sense for me to try to start implementing that approach in this PR? If not, is it better for me to shelve this for now?