openssl: Don't ignore CA paths when using Windows CA store

This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.

The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.

Ref: bc052cc (parent commit)
Ref: https://github.com/curl/curl/issues/5585

2 files changed, 4 insertions, 2 deletions

diff --git a/docs/EXPERIMENTAL.md b/docs/EXPERIMENTAL.md
index 34974fba8..bca2bd910 100644
--- a/docs/EXPERIMENTAL.md
+++ b/docs/EXPERIMENTAL.md
@@ -21,3 +21,4 @@ Experimental support in curl means:
  - HTTP/3 support and options
  - alt-svc support and options
  - MQTT
+ - CURLSSLOPT_NATIVE_CA (No configure option, feature built in when supported)
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
index 52b2817e9..1b8e41267 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
@@ -57,8 +57,9 @@ library). If combined with \fICURLSSLOPT_NO_REVOKE\fP, the latter takes
 precedence. (Added in 7.70.0)
 .IP CURLSSLOPT_NATIVE_CA
 Tell libcurl to use the operating system's native CA store for certificate
-verifiction. Works only on Windows when built to use OpenSSL. This option
-overrides \fICURLOPT_CAINFO(3)\fP if both are set. (Added in 7.71.0)
+verification. Works only on Windows when built to use OpenSSL. This option is
+experimental and behavior is subject to change.
+(Added in 7.71.0)
 .SH DEFAULT
 0
 .SH PROTOCOLS