TLS: remove support for Secure Transport and BearSSL

These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
2026-05-14 16:26:20 +03:00 · 2025-06-09 14:07:21 +02:00 · 2025-06-09 14:07:21 +02:00 · 08a3e8e19a
commit 08a3e8e19a
parent b761eb5add
89 changed files with 163 additions and 5036 deletions
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -39,8 +39,6 @@ env:
  MAKEFLAGS: -j 5
  CURL_CI: github
  CURL_CLANG_TIDYFLAGS: '-checks=-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-valist.Uninitialized'
-  # unhandled
-  BEARSSL_VERSION: 0.6
  # renovate: datasource=github-tags depName=libressl-portable/portable versioning=semver registryUrl=https://github.com
  LIBRESSL_VERSION: 4.1.0
  # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
@ -75,16 +73,6 @@ jobs:
      fail-fast: false
      matrix:
        build:
-          - name: bearssl
-            install_packages: zlib1g-dev
-            install_steps: bearssl pytest
-            configure: LDFLAGS=-Wl,-rpath,/home/runner/bearssl/lib --with-bearssl=/home/runner/bearssl --enable-debug
-
-          - name: bearssl clang
-            install_packages: zlib1g-dev clang
-            install_steps: bearssl
-            configure: CC=clang LDFLAGS=-Wl,-rpath,/home/runner/bearssl/lib --with-bearssl=/home/runner/bearssl --enable-debug
-
          - name: libressl heimdal
            install_packages: zlib1g-dev libnghttp2-dev libldap-dev heimdal-dev
            install_steps: libressl pytest
@ -344,27 +332,6 @@ jobs:
            py3-impacket py3-asn1 py3-six py3-pycryptodomex \
            perl-time-hires openssh stunnel sudo git openssl

-      - name: 'cache bearssl'
-        if: ${{ contains(matrix.build.install_steps, 'bearssl') }}
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
-        id: cache-bearssl
-        env:
-          cache-name: cache-bearssl
-        with:
-          path: ~/bearssl
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.BEARSSL_VERSION }}
-
-      - name: 'build bearssl'
-        if: ${{ contains(matrix.build.install_steps, 'bearssl') && steps.cache-bearssl.outputs.cache-hit != 'true' }}
-        run: |
-          curl -LOsSf --retry 6 --retry-connrefused --max-time 999 \
-            "https://bearssl.org/bearssl-${BEARSSL_VERSION}.tar.gz" | tar -xz
-          cd "bearssl-${BEARSSL_VERSION}"
-          make
-          mkdir -p ~/bearssl/lib ~/bearssl/include
-          cp inc/*.h ~/bearssl/include
-          cp build/libbearssl.* ~/bearssl/lib
-
      - name: 'cache libressl'
        if: ${{ contains(matrix.build.install_steps, 'libressl') }}
        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -43,8 +43,6 @@ permissions: {}
 # - 10.9  Mavericks (2013)     - LDAP
 # - 10.14 Mojave (2018)        - Secure Transport
 #
-# For Secure Transport, curl implements features that require a target
-# newer than the 10.8 required by `CFURLCreateDataAndPropertiesFromResource`.

 env:
  CURL_CI: github
@ -105,18 +103,6 @@ jobs:
              --without-nghttp2 --disable-ntlm --without-ssl --without-zlib --without-zstd

            macos-version-min: '10.15'  # Catalina (2019)
-          - name: 'SecureTransport libssh2'
-            compiler: clang
-            configure: --enable-debug --with-secure-transport --with-libssh2=/opt/homebrew/opt/libssh2
-            macos-version-min: '10.8'
-          - name: 'SecureTransport libssh2 10.12'
-            compiler: clang
-            configure: --enable-debug --with-secure-transport --with-libssh2=/opt/homebrew/opt/libssh2
-            macos-version-min: '10.12'  # for monotonic timers
-          - name: 'SecureTransport libssh2'
-            compiler: gcc-12
-            configure: --enable-debug --with-secure-transport --with-libssh2=/opt/homebrew/opt/libssh2
-            macos-version-min: '10.8'
          - name: 'LibreSSL +examples'
            compiler: clang
            install: libressl
@ -147,9 +133,6 @@ jobs:
          - name: 'quictls +static libssh +examples'
            install: quictls libssh
            generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/quictls -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON
-          - name: 'SecureTransport debug'
-            generate: -DCURL_USE_SECTRANSP=ON -DENABLE_DEBUG=ON
-            macos-version-min: '10.8'
          - name: 'LibreSSL !ldap heimdal c-ares +examples'
            install: libressl heimdal
            generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DCURL_DISABLE_LDAP=ON
@ -367,7 +350,7 @@ jobs:
            make -C bld examples V=1
          fi

-  combinations:  # Test buildability with host OS, Xcode / SDK, compiler, target-OS, Secure Transport/not, built tool, combinations
+  combinations:  # Test buildability with host OS, Xcode / SDK, compiler, target-OS, built tool, combinations
    name: "${{ matrix.build == 'cmake' && 'CM' || 'AM' }} ${{ matrix.compiler }} ${{ matrix.image }} ${{ matrix.xcode }} ${{ matrix.config }}"
    runs-on: ${{ matrix.image }}
    timeout-minutes: 10
@ -382,7 +365,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        config: [SecureTransport]  # also: OpenSSL
+        config: [OpenSSL]
        compiler: [gcc-12, gcc-13, gcc-14, llvm@15, llvm@18, clang]
        # Xcode support matrix as of 2024-07, with default macOS SDK versions and OS names, years:
        # * = default Xcode on the runner.
@ -427,7 +410,6 @@ jobs:
          - { image: macos-14, compiler: 'llvm@18' }
          - { image: macos-15, compiler: 'llvm@15' }
          # Reduce build combinations, by dropping less interesting ones
-          - { compiler: gcc-12, config: SecureTransport }
          - { compiler: gcc-13, build: cmake }
          - { compiler: gcc-14, build: autotools }
    steps:
@ -478,7 +460,6 @@ jobs:

          if [ "${MATRIX_BUILD}" = 'cmake' ]; then
            [ "${MATRIX_CONFIG}" = 'OpenSSL' ]         && options+=' -DCURL_USE_OPENSSL=ON'
-            [ "${MATRIX_CONFIG}" = 'SecureTransport' ] && options+=' -DCURL_USE_SECTRANSP=ON'
            [ -n "${MATRIX_MACOS_VERSION_MIN}" ] && options+=" -DCMAKE_OSX_DEPLOYMENT_TARGET=${MATRIX_MACOS_VERSION_MIN}"
            # would pick up nghttp2, libidn2, and libssh2
            cmake -B bld -G Ninja -D_CURL_PREFILL=ON \
@ -500,7 +481,6 @@ jobs:
              CFLAGS+=" --sysroot=${sysroot}"
            fi
            [ "${MATRIX_CONFIG}" = 'OpenSSL' ]         && options+=" --with-openssl=$(brew --prefix openssl)"
-            [ "${MATRIX_CONFIG}" = 'SecureTransport' ] && options+=' --with-secure-transport'
            [ -n "${MATRIX_MACOS_VERSION_MIN}" ] && CFLAGS+=" -mmacosx-version-min=${MATRIX_MACOS_VERSION_MIN}"
            # would pick up nghttp2, libidn2, but libssh2 is disabled by default
            mkdir bld && cd bld && ../configure --enable-unity --enable-test-bundles --enable-warnings --enable-werror \