alexcrichton · alexcrichton · Nov 7, 2022 · Sep 28, 2022 · Nov 7, 2022
diff --git a/curl-sys/lib.rs b/curl-sys/lib.rs
@@ -637,6 +637,10 @@ pub const CURL_IPRESOLVE_V6: c_int = 2;
 
 pub const CURLSSLOPT_ALLOW_BEAST: c_long = 1 << 0;
 pub const CURLSSLOPT_NO_REVOKE: c_long = 1 << 1;
+pub const CURLSSLOPT_NO_PARTIALCHAIN: c_long = 1 << 2;
+pub const CURLSSLOPT_REVOKE_BEST_EFFORT: c_long = 1 << 3;
+pub const CURLSSLOPT_NATIVE_CA: c_long = 1 << 4;
+pub const CURLSSLOPT_AUTO_CLIENT_CERT: c_long = 1 << 5;
 
 /// These enums are for use with the CURLOPT_HTTP_VERSION option.
 ///

diff --git a/src/easy/handler.rs b/src/easy/handler.rs
@@ -3813,6 +3813,46 @@ impl SslOpt {
         SslOpt { bits: 0 }
     }
 
+    /// Tell libcurl to automatically locate and use a client certificate for authentication,
+    /// when requested by the server.
+    ///
+    /// This option is only supported for Schannel (the native Windows SSL library).
+    /// Prior to 7.77.0 this was the default behavior in libcurl with Schannel.
+    ///
+    /// Since the server can request any certificate that supports client authentication in
+    /// the OS certificate store it could be a privacy violation and unexpected. (Added in 7.77.0)
+    pub fn auto_client_cert(&mut self, on: bool) -> &mut SslOpt {
+        self.flag(curl_sys::CURLSSLOPT_AUTO_CLIENT_CERT, on)
+    }
+
+    /// Tell libcurl to use the operating system's native CA store for certificate verification.
+    ///
+    /// Works only on Windows when built to use OpenSSL.
+    ///
+    /// This option is experimental and behavior is subject to change. (Added in 7.71.0)
+    pub fn native_ca(&mut self, on: bool) -> &mut SslOpt {
+        self.flag(curl_sys::CURLSSLOPT_NATIVE_CA, on)
+    }
+
+    /// Tells libcurl to ignore certificate revocation checks in case of missing or
+    /// offline distribution points for those SSL backends where such behavior is present.
+    ///
+    /// This option is only supported for Schannel (the native Windows SSL library).
+    ///
+    /// If combined with CURLSSLOPT_NO_REVOKE, the latter takes precedence. (Added in 7.70.0)
+    pub fn revoke_best_effort(&mut self, on: bool) -> &mut SslOpt {
+        self.flag(curl_sys::CURLSSLOPT_REVOKE_BEST_EFFORT, on)
+    }
+
+    /// Tells libcurl to not accept "partial" certificate chains, which it otherwise does by default.
+    ///
+    /// This option is only supported for OpenSSL and will fail the certificate verification
+    /// if the chain ends with an intermediate certificate and not with a root cert.
+    /// (Added in 7.68.0)
+    pub fn no_partial_chain(&mut self, on: bool) -> &mut SslOpt {
+        self.flag(curl_sys::CURLSSLOPT_NO_PARTIALCHAIN, on)
+    }
+
     /// Tells libcurl to disable certificate revocation checks for those SSL
     /// backends where such behavior is present.
     ///

diff --git a/systest/build.rs b/systest/build.rs
@@ -62,6 +62,7 @@ fn main() {
         false
     });
 
+    // Version symbols are extracted from https://curl.se/libcurl/c/symbols-in-versions.html
     cfg.skip_const(move |s| {
         if version < 77 {
             match s {
@@ -73,7 +74,8 @@ fn main() {
                 | "CURL_VERSION_ZSTD"
                 | "CURL_VERSION_UNICODE"
                 | "CURL_VERSION_HSTS"
-                | "CURL_VERSION_GSASL" => return true,
+                | "CURL_VERSION_GSASL"
+                | "CURLSSLOPT_AUTO_CLIENT_CERT" => return true,
                 _ => {}
             }
         }
@@ -110,15 +112,23 @@ fn main() {
                 | "CURLOPT_ISSUERCERT_BLOB"
                 | "CURLOPTTYPE_BLOB"
                 | "CURL_BLOB_NOCOPY"
-                | "CURL_BLOB_COPY" => return true,
+                | "CURL_BLOB_COPY"
+                | "CURLSSLOPT_NATIVE_CA" => return true,
                 _ => {}
             }
         }
         if version < 70 {
             match s {
-                "CURL_VERSION_HTTP3" | "CURL_VERSION_BROTLI" | "CURLVERSION_SEVENTH" => {
-                    return true
-                }
+                "CURL_VERSION_HTTP3"
+                | "CURL_VERSION_BROTLI"
+                | "CURLVERSION_SEVENTH"
+                | "CURLSSLOPT_REVOKE_BEST_EFFORT" => return true,
+                _ => {}
+            }
+        }
+        if version < 68 {
+            match s {
+                "CURLSSLOPT_NO_PARTIALCHAIN" => return true,
                 _ => {}
             }
         }
@@ -202,18 +212,22 @@ fn main() {
                 _ => {}
             }
         }
-
         if version < 47 {
             if s.starts_with("CURL_HTTP_VERSION_2") {
                 return true;
             }
         }
-
         if version < 43 {
             if s.starts_with("CURLPIPE_") {
                 return true;
             }
         }
+        if version < 25 {
+            match s {
+                "CURLSSLOPT_ALLOW_BEAST" => return true,
+                _ => {}
+            }
+        }
 
         // OSX doesn't have this yet
         s == "CURLSSLOPT_NO_REVOKE" ||