TLS: remove support for Secure Transport and BearSSL

These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
2026-05-17 00:56:23 +03:00 · 2025-06-09 14:07:21 +02:00 · 2025-06-09 14:07:21 +02:00 · 08a3e8e19a
commit 08a3e8e19a
parent b761eb5add
89 changed files with 163 additions and 5036 deletions
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -39,8 +39,6 @@ env:
  MAKEFLAGS: -j 5
  CURL_CI: github
  CURL_CLANG_TIDYFLAGS: '-checks=-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-valist.Uninitialized'
-  # unhandled
-  BEARSSL_VERSION: 0.6
  # renovate: datasource=github-tags depName=libressl-portable/portable versioning=semver registryUrl=https://github.com
  LIBRESSL_VERSION: 4.1.0
  # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
@ -75,16 +73,6 @@ jobs:
      fail-fast: false
      matrix:
        build:
-          - name: bearssl
-            install_packages: zlib1g-dev
-            install_steps: bearssl pytest
-            configure: LDFLAGS=-Wl,-rpath,/home/runner/bearssl/lib --with-bearssl=/home/runner/bearssl --enable-debug
-
-          - name: bearssl clang
-            install_packages: zlib1g-dev clang
-            install_steps: bearssl
-            configure: CC=clang LDFLAGS=-Wl,-rpath,/home/runner/bearssl/lib --with-bearssl=/home/runner/bearssl --enable-debug
-
          - name: libressl heimdal
            install_packages: zlib1g-dev libnghttp2-dev libldap-dev heimdal-dev
            install_steps: libressl pytest
@ -344,27 +332,6 @@ jobs:
            py3-impacket py3-asn1 py3-six py3-pycryptodomex \
            perl-time-hires openssh stunnel sudo git openssl

-      - name: 'cache bearssl'
-        if: ${{ contains(matrix.build.install_steps, 'bearssl') }}
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
-        id: cache-bearssl
-        env:
-          cache-name: cache-bearssl
-        with:
-          path: ~/bearssl
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.BEARSSL_VERSION }}
-
-      - name: 'build bearssl'
-        if: ${{ contains(matrix.build.install_steps, 'bearssl') && steps.cache-bearssl.outputs.cache-hit != 'true' }}
-        run: |
-          curl -LOsSf --retry 6 --retry-connrefused --max-time 999 \
-            "https://bearssl.org/bearssl-${BEARSSL_VERSION}.tar.gz" | tar -xz
-          cd "bearssl-${BEARSSL_VERSION}"
-          make
-          mkdir -p ~/bearssl/lib ~/bearssl/include
-          cp inc/*.h ~/bearssl/include
-          cp build/libbearssl.* ~/bearssl/lib
-
      - name: 'cache libressl'
        if: ${{ contains(matrix.build.install_steps, 'libressl') }}
        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4