Curl has the ability to use the OS certificate store. There is also the option (at invocation) to not use any other certificate stores than the one provided by the user (at invocation). The version which is shipped by Apple does ignore this which introduces a backdoor.

That behaviour is also a curl configuration option i.e. with-ca-fallback.

Curl definitely should be updating man pages if it is falling back to OpenSSL CAs when --cacert is specified.

Homebrew Curl on Mac also sets this flag:

https://github.com/Homebrew/homebrew-core/blob/9cccce7a6dff7...

curl (proper) doesn't do that, nor is it supposed to, that's the point

This behaviour is part of curl (proper) and is set via compile time flags.

And at least according to curl's code is set by default when it is built against OpenSSL:

https://github.com/curl/curl/blob/1ccf1cd9936dfa382fe1f061b6...

It's not set by default. (and even when it is set, does it modify the behaviour of the --cacert option?)

You mean Apple, who modified the code to work in this broken way.

Oh yes, you should definitely write to the author of the article above correcting his understanding of curl and suggesting he raise that issue.

Don't forget to use your Apple corporate email address.