CCurlCertificates manages custom SSL/TLS certificate loading for CURL-based HTTP connections. It loads PEM certificate files into memory and injects them into the OpenSSL context when CURL establishes an HTTPS connection.

This is used when the system certificate store is insufficient or unavailable — for example, when shipping a custom cacert.pem bundle with the game client.

Header: nel/web/curl_certificates.h

#include <nel/web/curl_certificates.h>

// Load a PEM certificate bundle (typically done once at startup)
NLWEB::CCurlCertificates::addCertificateFile("cacert.pem");

// Later, when setting up a CURL handle:
CURL *curl = curl_easy_init();
NLWEB::CCurlCertificates::useCertificates(curl);
// ... use curl normally ...

1. addCertificateFile reads the PEM file, parses each certificate using OpenSSL's PEM_read_bio_X509, and stores them in an in-memory list.
2. useCertificates sets CURLOPT_SSL_CTX_FUNCTION on the CURL handle to a callback that adds all loaded certificates to the SSL context's certificate store via X509_STORE_add_cert.
3. The implementation detects whether CURL is using the OpenSSL backend. On platforms where CURL uses a different SSL backend (Windows SChannel, macOS SecureTransport), the certificate injection is skipped and the system certificate store is used instead.

The Ryzom client loads a custom certificate bundle from the CurlCABundle config variable:

if (!ClientCfg.CurlCABundle.empty())
{
    NLWEB::CCurlCertificates::addCertificateFile(ClientCfg.CurlCABundle);
}

This is applied to CURL handles used by the in-game web browser and the login system.