Public API for CURLOPT_CAPATH (on-demand CA cert directory lookup)?

[LukePickett2]

We're using google-cloud-cpp on Linux with OpenSSL 3.2, and have found that the default behavior — leaving libcurl to use the system CA bundle file via CURLOPT_CAINFO — causes OpenSSL to parse and load the entire bundle into a fresh SSL_CTX on each connection. With OpenSSL 3.2+ this is noticeably more expensive than the alternative: setting CURLOPT_CAPATH to a hashed certificate directory (e.g. /etc/ssl/certs/), which allows OpenSSL to do a single O(1) lookup for only the CA cert needed to verify each connection.

We noticed google::cloud::storage::internal::CAPathOption and google::cloud::internal::CAPathOption exist but are both marked "only intended for testing, not for public use."

Is there a supported/public way to achieve CURLOPT_CAPATH behavior? If not, is there any plan to expose this as a public option alongside CARootsFilePathOption? We'd rather not rely on an internal API for production use.