romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-26 17:06:22 +03:00
Code Issues Projects Releases Packages Wiki Activity

tidy-up: sort TLS backends, distros, alphabetically

Browse source 
Also:
- replace stray [Rr]ustls-ffi with Rustls for consistency.
- add AWS-LC to a couple of lists where missing.

Closes #21481
This commit is contained in:
Viktor Szakats 2026-05-01 13:25:49 +02:00
parent ed3cd8b046
commit 4815070794
No known key found for this signature in database
21 changed files with 345 additions and 345 deletions
Download patch file Download diff file Expand all files Collapse all files

378
.github/workflows/http3-linux.yml vendored
View file

@ -36,13 +36,6 @@ env:
CURL_CI: github
CURL_TEST_MIN: 1850
DO_NOT_TRACK: '1'
# renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?<version>.+)$ registryUrl=https://github.com
OPENSSL_VERSION: 4.0.0
# manually bumped
OPENSSL_PREV_VERSION: 3.6.2
OPENSSL_PREV_SHA256: aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f
# renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
LIBRESSL_VERSION: 4.3.1
# renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
AWSLC_VERSION: 1.73.0
# renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
@ -51,6 +44,15 @@ env:
NETTLE_VERSION: 3.10.2
# renovate: datasource=github-tags depName=gnutls/gnutls versioning=semver extractVersion=^nettle_?(?<version>.+)_release_.+$ registryUrl=https://github.com
GNUTLS_VERSION: 3.8.11
# renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
LIBRESSL_VERSION: 4.3.1
# renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?<version>.+)$ registryUrl=https://github.com
OPENSSL_VERSION: 4.0.0
# manually bumped
OPENSSL_PREV_VERSION: 3.6.2
OPENSSL_PREV_SHA256: aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f
# renovate: datasource=github-tags depName=cloudflare/quiche versioning=semver registryUrl=https://github.com
QUICHE_VERSION: 0.24.7
# renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
WOLFSSL_VERSION: 5.9.1
# renovate: datasource=github-tags depName=ngtcp2/nghttp3 versioning=semver registryUrl=https://github.com
@ -59,8 +61,6 @@ env:
NGTCP2_VERSION: 1.22.1
# renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com
NGHTTP2_VERSION: 1.69.0
# renovate: datasource=github-tags depName=cloudflare/quiche versioning=semver registryUrl=https://github.com
QUICHE_VERSION: 0.24.7
jobs:
build-cache:
@ -68,33 +68,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'cache openssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-http3-no-deprecated
env:
cache-name: cache-openssl-http3-no-deprecated
with:
path: ~/openssl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
- name: 'cache openssl-prev'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-prev-http3-no-deprecated
env:
cache-name: cache-openssl-prev-http3-no-deprecated
with:
path: ~/openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
- name: 'cache libressl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-libressl
env:
cache-name: cache-libressl
with:
path: ~/libressl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
- name: 'cache awslc'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-awslc
@ -131,6 +104,33 @@ jobs:
path: ~/gnutls/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.GNUTLS_VERSION }}-${{ env.NETTLE_VERSION }}
- name: 'cache libressl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-libressl
env:
cache-name: cache-libressl
with:
path: ~/libressl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
- name: 'cache openssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-http3-no-deprecated
env:
cache-name: cache-openssl-http3-no-deprecated
with:
path: ~/openssl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
- name: 'cache openssl-prev'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-prev-http3-no-deprecated
env:
cache-name: cache-openssl-prev-http3-no-deprecated
with:
path: ~/openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
- name: 'cache wolfssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-wolfssl
@ -159,15 +159,6 @@ jobs:
key: "${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-\
${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}"
- name: 'cache ngtcp2 openssl-prev'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-ngtcp2-openssl-prev
env:
cache-name: cache-ngtcp2-openssl-prev
with:
path: ~/ngtcp2-openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
- name: 'cache ngtcp2 boringssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-ngtcp2-boringssl
@ -177,6 +168,15 @@ jobs:
path: ~/ngtcp2-boringssl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }}
- name: 'cache ngtcp2 openssl-prev'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-ngtcp2-openssl-prev
env:
cache-name: cache-ngtcp2-openssl-prev
with:
path: ~/ngtcp2-openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
- name: 'cache nghttp2'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-nghttp2
@ -189,18 +189,18 @@ jobs:
- id: settings
if: >-
${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' ||
steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' ||
steps.cache-libressl.outputs.cache-hit != 'true' ||
steps.cache-awslc.outputs.cache-hit != 'true' ||
${{ steps.cache-awslc.outputs.cache-hit != 'true' ||
steps.cache-boringssl.outputs.cache-hit != 'true' ||
steps.cache-nettle.outputs.cache-hit != 'true' ||
steps.cache-gnutls.outputs.cache-hit != 'true' ||
steps.cache-libressl.outputs.cache-hit != 'true' ||
steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' ||
steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' ||
steps.cache-wolfssl.outputs.cache-hit != 'true' ||
steps.cache-nghttp3.outputs.cache-hit != 'true' ||
steps.cache-ngtcp2.outputs.cache-hit != 'true' ||
steps.cache-ngtcp2-openssl-prev.outputs.cache-hit != 'true' ||
steps.cache-ngtcp2-boringssl.outputs.cache-hit != 'true' ||
steps.cache-ngtcp2-openssl-prev.outputs.cache-hit != 'true' ||
steps.cache-ngtcp2.outputs.cache-hit != 'true' ||
steps.cache-nghttp2.outputs.cache-hit != 'true' }}
run: echo 'needs-build=true' >> "$GITHUB_OUTPUT"
@ -221,40 +221,6 @@ jobs:
echo 'CC=gcc-12' >> "$GITHUB_ENV"
echo 'CXX=g++-12' >> "$GITHUB_ENV"
- name: 'build openssl'
if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }}
run: |
cd ~
git clone --quiet --depth 1 --branch "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl
cd openssl
./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
make
make -j1 install_sw
- name: 'build openssl-prev'
if: ${{ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' }}
run: |
cd ~
curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
--location "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_PREV_VERSION}/openssl-${OPENSSL_PREV_VERSION}.tar.gz" --output pkg.bin
sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${OPENSSL_PREV_SHA256}" && tar -xzf pkg.bin && rm -f pkg.bin
cd "openssl-${OPENSSL_PREV_VERSION}"
./config --prefix=/home/runner/openssl-prev/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
make
make -j1 install_sw
- name: 'build libressl'
if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }}
run: |
cd ~
curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
--location "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" --output pkg.bin
sha256sum pkg.bin && tar -xzf pkg.bin && rm -f pkg.bin
cd "libressl-${LIBRESSL_VERSION}"
cmake -B . -G Ninja -DLIBRESSL_APPS=OFF -DLIBRESSL_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/home/runner/libressl/build
cmake --build .
cmake --install .
- name: 'build awslc'
if: ${{ steps.cache-awslc.outputs.cache-hit != 'true' }}
run: |
@ -309,6 +275,40 @@ jobs:
--disable-guile --disable-doc --disable-tests --disable-tools
make install
- name: 'build libressl'
if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }}
run: |
cd ~
curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
--location "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" --output pkg.bin
sha256sum pkg.bin && tar -xzf pkg.bin && rm -f pkg.bin
cd "libressl-${LIBRESSL_VERSION}"
cmake -B . -G Ninja -DLIBRESSL_APPS=OFF -DLIBRESSL_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/home/runner/libressl/build
cmake --build .
cmake --install .
- name: 'build openssl'
if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }}
run: |
cd ~
git clone --quiet --depth 1 --branch "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl
cd openssl
./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
make
make -j1 install_sw
- name: 'build openssl-prev'
if: ${{ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' }}
run: |
cd ~
curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
--location "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_PREV_VERSION}/openssl-${OPENSSL_PREV_VERSION}.tar.gz" --output pkg.bin
sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${OPENSSL_PREV_SHA256}" && tar -xzf pkg.bin && rm -f pkg.bin
cd "openssl-${OPENSSL_PREV_VERSION}"
./config --prefix=/home/runner/openssl-prev/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
make
make -j1 install_sw
- name: 'build wolfssl'
if: ${{ steps.cache-wolfssl.outputs.cache-hit != 'true' }}
run: |
@ -412,57 +412,6 @@ jobs:
fail-fast: false
matrix:
build:
- name: 'openssl'
tflags: '--min=1700'
LDFLAGS: -Wl,-rpath,/home/runner/openssl/build/lib
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
--with-openssl=/home/runner/openssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --enable-ssls-export
- name: 'openssl'
install_steps: skipall
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
-DCURL_DISABLE_LDAP=ON
-DUSE_ECH=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'openssl-prev'
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/openssl-prev/build/lib
PKG_CONFIG_PATH: "\
/home/runner/openssl-prev/build/lib/pkgconfig:\
/home/runner/nghttp3/build/lib/pkgconfig:\
/home/runner/nghttp2-openssl-prev/build/lib/pkgconfig"
configure: >-
--with-openssl=/home/runner/openssl-prev/build --with-ngtcp2=/home/runner/ngtcp2-openssl-prev/build --enable-ssls-export
- name: 'openssl-prev'
tflags: '--min=1700'
PKG_CONFIG_PATH: "\
/home/runner/openssl-prev/build/lib/pkgconfig:\
/home/runner/nghttp3/build/lib/pkgconfig:\
/home/runner/ngtcp2-openssl-prev/build/lib/pkgconfig:\
/home/runner/nghttp2/build/lib/pkgconfig"
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl-prev/build -DUSE_NGTCP2=ON
-DCURL_DISABLE_LDAP=ON
- name: 'libressl'
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
# Intentionally using '--with-ngtcp2=<path>' to test this way of configuration, in addition to bare '--with-ngtcp2' + 'PKG_CONFIG_PATH' in other jobs.
configure: >-
--with-openssl=/home/runner/libressl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ssls-export
--enable-unity
- name: 'libressl'
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
- name: 'awslc'
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/awslc/build/lib
@ -515,22 +464,56 @@ jobs:
-DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON -DCURL_USE_LIBSSH=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'wolfssl'
install_packages: libssh2-1-dev
- name: 'libressl'
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl/build/lib
PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
# Intentionally using '--with-ngtcp2=<path>' to test this way of configuration, in addition to bare '--with-ngtcp2' + 'PKG_CONFIG_PATH' in other jobs.
configure: >-
--with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --with-libssh2 --enable-ssls-export
--with-openssl=/home/runner/libressl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ssls-export
--enable-unity
- name: 'wolfssl'
install_packages: libssh2-1-dev
tflags: '--min=1900'
PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
- name: 'libressl'
PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DCURL_USE_WOLFSSL=ON -DUSE_NGTCP2=ON
-DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
- name: 'openssl'
tflags: '--min=1700'
LDFLAGS: -Wl,-rpath,/home/runner/openssl/build/lib
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
--with-openssl=/home/runner/openssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --enable-ssls-export
- name: 'openssl'
install_steps: skipall
PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
-DCURL_DISABLE_LDAP=ON
-DUSE_ECH=ON
-DCMAKE_UNITY_BUILD=ON
- name: 'openssl-prev'
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/openssl-prev/build/lib
PKG_CONFIG_PATH: "\
/home/runner/openssl-prev/build/lib/pkgconfig:\
/home/runner/nghttp3/build/lib/pkgconfig:\
/home/runner/nghttp2-openssl-prev/build/lib/pkgconfig"
configure: >-
--with-openssl=/home/runner/openssl-prev/build --with-ngtcp2=/home/runner/ngtcp2-openssl-prev/build --enable-ssls-export
- name: 'openssl-prev'
tflags: '--min=1700'
PKG_CONFIG_PATH: "\
/home/runner/openssl-prev/build/lib/pkgconfig:\
/home/runner/nghttp3/build/lib/pkgconfig:\
/home/runner/ngtcp2-openssl-prev/build/lib/pkgconfig:\
/home/runner/nghttp2/build/lib/pkgconfig"
generate: >-
-DOPENSSL_ROOT_DIR=/home/runner/openssl-prev/build -DUSE_NGTCP2=ON
-DCURL_DISABLE_LDAP=ON
- name: 'quiche'
install_steps: skipall
@ -549,6 +532,23 @@ jobs:
-DUSE_QUICHE=ON
-DCURL_CA_FALLBACK=ON
- name: 'wolfssl'
install_packages: libssh2-1-dev
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl/build/lib
PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
configure: >-
--with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --with-libssh2 --enable-ssls-export
--enable-unity
- name: 'wolfssl'
install_packages: libssh2-1-dev
tflags: '--min=1900'
PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
-DCURL_USE_WOLFSSL=ON -DUSE_NGTCP2=ON
-DUSE_ECH=ON
steps:
- name: 'install prereqs'
timeout-minutes: 2
@ -570,38 +570,6 @@ jobs:
echo 'CC=gcc-12' >> "$GITHUB_ENV"
echo 'CXX=g++-12' >> "$GITHUB_ENV"
- name: 'cache openssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-http3-no-deprecated
env:
cache-name: cache-openssl-http3-no-deprecated
with:
path: ~/openssl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
fail-on-cache-miss: true
- name: 'cache openssl-prev'
if: ${{ contains(matrix.build.name, 'openssl-prev') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-prev-http3-no-deprecated
env:
cache-name: cache-openssl-prev-http3-no-deprecated
with:
path: ~/openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
fail-on-cache-miss: true
- name: 'cache libressl'
if: ${{ contains(matrix.build.name, 'libressl') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-libressl
env:
cache-name: cache-libressl
with:
path: ~/libressl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
fail-on-cache-miss: true
- name: 'cache awslc'
if: ${{ contains(matrix.build.name, 'awslc') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@ -646,6 +614,38 @@ jobs:
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.GNUTLS_VERSION }}-${{ env.NETTLE_VERSION }}
fail-on-cache-miss: true
- name: 'cache libressl'
if: ${{ contains(matrix.build.name, 'libressl') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-libressl
env:
cache-name: cache-libressl
with:
path: ~/libressl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
fail-on-cache-miss: true
- name: 'cache openssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-http3-no-deprecated
env:
cache-name: cache-openssl-http3-no-deprecated
with:
path: ~/openssl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
fail-on-cache-miss: true
- name: 'cache openssl-prev'
if: ${{ contains(matrix.build.name, 'openssl-prev') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-openssl-prev-http3-no-deprecated
env:
cache-name: cache-openssl-prev-http3-no-deprecated
with:
path: ~/openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
fail-on-cache-miss: true
- name: 'cache wolfssl'
if: ${{ contains(matrix.build.name, 'wolfssl') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@ -678,17 +678,6 @@ jobs:
${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}"
fail-on-cache-miss: true
- name: 'cache ngtcp2 openssl-prev'
if: ${{ contains(matrix.build.name, 'openssl-prev') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-ngtcp2-openssl-prev
env:
cache-name: cache-ngtcp2-openssl-prev
with:
path: ~/ngtcp2-openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
fail-on-cache-miss: true
- name: 'cache ngtcp2 boringssl'
if: ${{ contains(matrix.build.name, 'boringssl') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@ -700,6 +689,17 @@ jobs:
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }}
fail-on-cache-miss: true
- name: 'cache ngtcp2 openssl-prev'
if: ${{ contains(matrix.build.name, 'openssl-prev') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-ngtcp2-openssl-prev
env:
cache-name: cache-ngtcp2-openssl-prev
with:
path: ~/ngtcp2-openssl-prev/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
fail-on-cache-miss: true
- name: 'cache nghttp2'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-nghttp2

146
.github/workflows/linux.yml vendored
View file

@ -34,29 +34,29 @@ env:
CURL_CI: github
CURL_TEST_MIN: 1660
DO_NOT_TRACK: '1'
# renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
AWSLC_VERSION: 1.73.0
# renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
BORINGSSL_VERSION: 0.20260508.0
# renovate: datasource=github-releases depName=pizlonator/fil-c versioning=semver-coerced registryUrl=https://github.com
FIL_C_VERSION: 0.678
# renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
LIBRESSL_VERSION: 4.3.1
# renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
WOLFSSL_VERSION: 5.9.1
# renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com
MBEDTLS_VERSION: 4.0.0
# manually bumped
MBEDTLS_PREV_VERSION: 3.6.5
MBEDTLS_PREV_SHA256: 4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8
# renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
AWSLC_VERSION: 1.73.0
# renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
BORINGSSL_VERSION: 0.20260508.0
# renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com
NGHTTP2_VERSION: 1.69.0
# handled in renovate.json
OPENLDAP_VERSION: 2.6.10
# renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?<version>.+)$ registryUrl=https://github.com
OPENSSL_VERSION: 4.0.0
# renovate: datasource=github-tags depName=rustls/rustls-ffi versioning=semver registryUrl=https://github.com
RUSTLS_VERSION: 0.15.3
# handled in renovate.json
OPENLDAP_VERSION: 2.6.10
# renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com
NGHTTP2_VERSION: 1.69.0
# renovate: datasource=github-releases depName=pizlonator/fil-c versioning=semver-coerced registryUrl=https://github.com
FIL_C_VERSION: 0.678
# renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
WOLFSSL_VERSION: 5.9.1
jobs:
linux:
@ -72,6 +72,20 @@ jobs:
fail-fast: false
matrix:
build:
- name: 'awslc'
install_steps: awslc pytest
LDFLAGS: -Wl,-rpath,/home/runner/awslc/lib
configure: --with-openssl=/home/runner/awslc --enable-ech --enable-ntlm
- name: 'awslc'
install_packages: libidn2-dev
install_steps: awslc
generate: -DOPENSSL_ROOT_DIR=/home/runner/awslc -DUSE_ECH=ON -DCMAKE_UNITY_BUILD=OFF -DCURL_DROP_UNUSED=ON -DCURL_PATCHSTAMP=test-patch -DCURL_ENABLE_NTLM=ON
- name: 'boringssl'
install_steps: boringssl pytest
generate: -DOPENSSL_ROOT_DIR=/home/runner/boringssl -DUSE_ECH=ON -DCURL_ENABLE_NTLM=ON
- name: 'libressl krb5'
image: ubuntu-24.04-arm
install_packages: libidn2-dev libnghttp2-dev libldap-dev libkrb5-dev
@ -101,27 +115,17 @@ jobs:
LDFLAGS: -Wl,-rpath,/home/runner/libressl/lib
configure: --with-openssl=/home/runner/libressl --enable-debug
- name: 'wolfssl-all'
image: ubuntu-24.04-arm
install_steps: wolfssl-all-arm
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-all/lib
configure: --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug
- name: 'wolfssl-opensslextra valgrind 1'
image: ubuntu-24.04-arm
install_packages: valgrind
install_steps: wolfssl-opensslextra-arm
tflags: '--min=815 1 to 1000'
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
- name: 'wolfssl-opensslextra valgrind 2'
image: ubuntu-24.04-arm
install_packages: valgrind
install_steps: wolfssl-opensslextra-arm
tflags: '--min=835 1001 to 9999'
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
- name: 'libressl Fil-C'
install_steps: filc libressl-filc nghttp2-filc pytest
tflags: '!776' # adds 1-9 minutes to the test run step, and fails consistently
CC: /home/runner/filc/build/bin/filcc
PKG_CONFIG_PATH: /home/runner/nghttp2/lib/pkgconfig
generate: >-
-DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON
-DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_LIBPSL=OFF
-DCURL_ZLIB=OFF -DCURL_BROTLI=OFF -DCURL_ZSTD=OFF
-DCURL_DISABLE_LDAP=ON -DUSE_LIBIDN2=OFF -DCURL_USE_LIBSSH2=OFF
-DCURL_ENABLE_NTLM=ON
- name: 'mbedtls gss valgrind 1'
image: ubuntu-24.04-arm
@ -167,19 +171,44 @@ jobs:
-DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF
-DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON
- name: 'awslc'
install_steps: awslc pytest
LDFLAGS: -Wl,-rpath,/home/runner/awslc/lib
configure: --with-openssl=/home/runner/awslc --enable-ech --enable-ntlm
- name: 'rustls valgrind 1'
install_packages: libnghttp2-dev libldap-dev valgrind
install_steps: rust rustls
tflags: '--min=820 1 to 1000'
generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
- name: 'awslc'
install_packages: libidn2-dev
install_steps: awslc
generate: -DOPENSSL_ROOT_DIR=/home/runner/awslc -DUSE_ECH=ON -DCMAKE_UNITY_BUILD=OFF -DCURL_DROP_UNUSED=ON -DCURL_PATCHSTAMP=test-patch -DCURL_ENABLE_NTLM=ON
- name: 'rustls valgrind 2'
install_packages: libnghttp2-dev libldap-dev valgrind
install_steps: rust rustls
tflags: '--min=830 1001 to 9999'
generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
- name: 'boringssl'
install_steps: boringssl pytest
generate: -DOPENSSL_ROOT_DIR=/home/runner/boringssl -DUSE_ECH=ON -DCURL_ENABLE_NTLM=ON
- name: 'rustls'
install_packages: libnghttp2-dev libldap-dev
install_steps: rust rustls skiprun pytest
configure: --with-rustls --enable-ech --enable-debug
- name: 'wolfssl-all'
image: ubuntu-24.04-arm
install_steps: wolfssl-all-arm
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-all/lib
configure: --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug
- name: 'wolfssl-opensslextra valgrind 1'
image: ubuntu-24.04-arm
install_packages: valgrind
install_steps: wolfssl-opensslextra-arm
tflags: '--min=815 1 to 1000'
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
- name: 'wolfssl-opensslextra valgrind 2'
image: ubuntu-24.04-arm
install_packages: valgrind
install_steps: wolfssl-opensslextra-arm
tflags: '--min=835 1001 to 9999'
LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
- name: 'openssl default'
install_steps: pytest
@ -287,18 +316,6 @@ jobs:
tflags: '--min=500'
configure: --without-ssl --enable-debug --disable-http --disable-smtp --disable-imap --disable-unity
- name: 'libressl Fil-C'
install_steps: filc libressl-filc nghttp2-filc pytest
tflags: '!776' # adds 1-9 minutes to the test run step, and fails consistently
CC: /home/runner/filc/build/bin/filcc
PKG_CONFIG_PATH: /home/runner/nghttp2/lib/pkgconfig
generate: >-
-DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON
-DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_LIBPSL=OFF
-DCURL_ZLIB=OFF -DCURL_BROTLI=OFF -DCURL_ZSTD=OFF
-DCURL_DISABLE_LDAP=ON -DUSE_LIBIDN2=OFF -DCURL_USE_LIBSSH2=OFF
-DCURL_ENABLE_NTLM=ON
- name: 'clang-tidy'
install_packages: clang-20 clang-tidy-20 libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev libgnutls28-dev
install_steps: skiprun mbedtls-latest-intel rustls wolfssl-opensslextra-intel
@ -412,23 +429,6 @@ jobs:
configure: --enable-debug --enable-static --disable-shared --disable-threaded-resolver --with-libssh --with-openssl
tflags: '-n --test-duphandle'
- name: 'rustls valgrind 1'
install_packages: libnghttp2-dev libldap-dev valgrind
install_steps: rust rustls
tflags: '--min=820 1 to 1000'
generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
- name: 'rustls valgrind 2'
install_packages: libnghttp2-dev libldap-dev valgrind
install_steps: rust rustls
tflags: '--min=830 1001 to 9999'
generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
- name: 'rustls'
install_packages: libnghttp2-dev libldap-dev
install_steps: rust rustls skiprun pytest
configure: --with-rustls --enable-ech --enable-debug
- name: 'IntelC openssl'
install_packages: libssl-dev
install_steps: intelc

26
CMakeLists.txt
View file

@ -835,26 +835,26 @@ if(CURL_USE_OPENSSL)
cmake_push_check_state()
list(APPEND CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL OpenSSL::Crypto)
if(NOT DEFINED HAVE_BORINGSSL)
check_symbol_exists("OPENSSL_IS_BORINGSSL" "openssl/base.h" HAVE_BORINGSSL)
endif()
if(NOT DEFINED HAVE_AWSLC)
check_symbol_exists("OPENSSL_IS_AWSLC" "openssl/base.h" HAVE_AWSLC)
endif()
if(NOT DEFINED HAVE_BORINGSSL)
check_symbol_exists("OPENSSL_IS_BORINGSSL" "openssl/base.h" HAVE_BORINGSSL)
endif()
if(NOT DEFINED HAVE_LIBRESSL)
check_symbol_exists("LIBRESSL_VERSION_NUMBER" "openssl/opensslv.h" HAVE_LIBRESSL)
endif()
cmake_pop_check_state()
if(HAVE_BORINGSSL OR HAVE_AWSLC)
if(NOT MSVC AND NOT ANDROID) # BoringSSL/AWS-LC MSVC builds use native Windows threads
if(HAVE_AWSLC OR HAVE_BORINGSSL)
if(NOT MSVC AND NOT ANDROID) # AWS-LC/BoringSSL MSVC builds use native Windows threads
find_package(Threads)
if(CMAKE_USE_PTHREADS_INIT)
set(HAVE_THREADS_POSIX_BORINGSSL 1)
list(APPEND CURL_NETWORK_AND_TIME_LIBS Threads::Threads)
list(APPEND CMAKE_REQUIRED_LIBRARIES Threads::Threads)
elseif(OPENSSL_USE_STATIC_LIBS)
message(WARNING "BoringSSL/AWS-LC requires POSIX Threads.")
message(WARNING "AWS-LC/BoringSSL requires POSIX Threads.")
endif()
endif()
if(OPENSSL_USE_STATIC_LIBS AND CMAKE_C_COMPILER_ID MATCHES "Clang")
@ -863,17 +863,17 @@ if(CURL_USE_OPENSSL)
endif()
endif()
if(HAVE_BORINGSSL)
if(USE_AMISSL)
set(_openssl "AmiSSL")
elseif(HAVE_AWSLC)
set(_openssl "AWS-LC")
elseif(HAVE_BORINGSSL)
if(BORINGSSL_VERSION)
set(CURL_BORINGSSL_VERSION "\"${BORINGSSL_VERSION}\"")
endif()
set(_openssl "BoringSSL")
elseif(HAVE_AWSLC)
set(_openssl "AWS-LC")
elseif(HAVE_LIBRESSL)
set(_openssl "LibreSSL")
elseif(USE_AMISSL)
set(_openssl "AmiSSL")
else()
set(_openssl "OpenSSL")
endif()
@ -1097,7 +1097,7 @@ if(USE_ECH)
set(HAVE_ECH 1)
endif()
if(NOT HAVE_ECH)
message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/AWS-LC/wolfSSL/rustls-ffi")
message(FATAL_ERROR "ECH support missing in AWS-LC/BoringSSL/OpenSSL/Rustls/wolfSSL")
else()
message(STATUS "ECH enabled")
# ECH wants HTTPSRR
@ -1105,7 +1105,7 @@ if(USE_ECH)
message(STATUS "HTTPSRR enabled")
endif()
else()
message(FATAL_ERROR "ECH requires ECH-enabled OpenSSL, BoringSSL, AWS-LC, wolfSSL or rustls-ffi")
message(FATAL_ERROR "ECH requires ECH-enabled AWS-LC, BoringSSL, OpenSSL, Rustls or wolfSSL")
endif()
endif()

8
docs/CIPHERS.md
View file

@ -96,10 +96,10 @@ are NULL ciphers, offering no encryption whatsoever.)
### TLS 1.2 (1.1, 1.0) cipher suites
Setting TLS 1.2 cipher suites is supported by curl with OpenSSL, LibreSSL,
BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+). Schannel does not
support setting cipher suites directly, but does support setting algorithms
(curl 7.61.0+), see Schannel notes below.
Setting TLS 1.2 cipher suites is supported by curl with AWS-LC, BoringSSL,
LibreSSL, mbedTLS (curl 8.8.0+), OpenSSL, wolfSSL (curl 7.53.0+). Schannel
does not support setting cipher suites directly, but does support setting
algorithms (curl 7.61.0+), see Schannel notes below.
For TLS 1.2 cipher suites there are multiple naming schemes, the two most used
are with OpenSSL names (e.g. `ECDHE-RSA-AES128-GCM-SHA256`) and IANA names

2
docs/CURLDOWN.md
View file

@ -97,7 +97,7 @@ option. The available TLS backends are:
- `GnuTLS`
- `mbedTLS`
- `OpenSSL` (also covers BoringSSL, LibreSSL, quictls, AWS-LC and AmiSSL)
- `OpenSSL` (also covers AmiSSL, AWS-LC, BoringSSL, LibreSSL and quictls)
- `rustls`
- `Schannel`
- `wolfSSL`

14
docs/ECH.md
View file

@ -8,8 +8,8 @@ SPDX-License-Identifier: curl
We have added support for ECH to curl. It can use HTTPS RRs published in the
DNS if curl uses DoH, or else can accept the relevant ECHConfigList values
from the command line. This works with OpenSSL, wolfSSL, BoringSSL, AWS-LC
or rustls-ffi as the TLS provider.
from the command line. This works with AWS-LC, BoringSSL, OpenSSL, Rustls or
wolfSSL as the TLS provider.
This feature is EXPERIMENTAL. DO NOT USE IN PRODUCTION.
@ -153,7 +153,7 @@ LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo
```
At that point, you could copy the base64 encoded value above and try again.
For now, this only works for the OpenSSL and BoringSSL/AWS-LC builds.
For now, this only works for the OpenSSL and AWS-LC/BoringSSL builds.
## Default settings
@ -338,11 +338,11 @@ WARNING: ECH HTTPSRR enabled but marked EXPERIMENTAL. Use with caution.
make
```
The BoringSSL/AWS-LC APIs are fairly similar to those in our ECH-enabled
The AWS-LC/BoringSSL APIs are fairly similar to those in our ECH-enabled
OpenSSL fork, so code changes are also in `lib/vtls/openssl.c`, protected
via `#ifdef OPENSSL_IS_BORINGSSL` and are mostly obvious API variations.
The BoringSSL/AWS-LC APIs however do not support the `--ech pn:` command
The AWS-LC/BoringSSL APIs however do not support the `--ech pn:` command
line variant as of now.
## wolfSSL build
@ -405,7 +405,7 @@ Then there are some functional code changes:
The lack of support for `--ech false` is because wolfSSL has decided to
always at least GREASE if built to support ECH. In other words, GREASE is
a compile time choice for wolfSSL, but a runtime choice for OpenSSL or
BoringSSL/AWS-LC. (Both are reasonable.)
AWS-LC/BoringSSL. (Both are reasonable.)
## Additional notes
@ -471,7 +471,7 @@ get the HTTPS RR and pass the ECHConfigList from that on the command line, if
needed, or one can access the value from command line output in verbose more
and then reuse that in another invocation.
Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE
Both our OpenSSL fork and AWS-LC/BoringSSL have APIs for both controlling GREASE
and accessing and logging `retry_configs`, it seems wolfSSL has neither.
### Testing ECH

8
docs/FAQ.md
View file

@ -294,10 +294,10 @@ curl has been written to use a generic SSL function layer internally, and
that SSL functionality can then be provided by one out of many different SSL
backends.
curl can be built to use one of the following SSL alternatives: OpenSSL,
LibreSSL, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Schannel (native
Windows) or Rustls. They all have their pros and cons, and we maintain [a TLS
library comparison](https://curl.se/docs/ssl-compared.html).
curl can be built to use one of the following SSL alternatives: AWS-LC,
BoringSSL, GnuTLS, LibreSSL, OpenSSL, mbedTLS, Rustls, Schannel (native
Windows), or wolfSSL. They all have their pros and cons, and we maintain
[a TLS library comparison](https://curl.se/docs/ssl-compared.html).
## How do I upgrade curl.exe in Windows?

4
docs/INSTALL.md
View file

@ -146,7 +146,7 @@ These options are provided to select the TLS backend to use.
- AmiSSL: `--with-amissl`
- GnuTLS: `--with-gnutls`.
- mbedTLS: `--with-mbedtls`
- OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, LibreSSL, and quictls)
- OpenSSL: `--with-openssl` (also for AWS-LC, BoringSSL, LibreSSL, and quictls)
- Rustls: `--with-rustls`
- Schannel: `--with-schannel`
- wolfSSL: `--with-wolfssl`
@ -486,7 +486,7 @@ install `libssl.a` and `libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy
for Android using OpenSSL like this:
```sh
# For OpenSSL/BoringSSL. In general, you need to the SSL/TLS layer's transitive
# For BoringSSL/OpenSSL. In general, you need to the SSL/TLS layer's transitive
# dependencies if you are linking statically.
LIBS='-lssl -lcrypto -lc++'
./configure --host aarch64-linux-android --with-pic --disable-shared --with-openssl="$TOOLCHAIN/sysroot/usr"

2
docs/cmdline-opts/ca-native.md
View file

@ -24,7 +24,7 @@ Use the operating system's native CA store for certificate verification.
This option is independent of other CA certificate locations set at run time or
build time. Those locations are searched in addition to the native CA store.
This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on
This option works with OpenSSL and its forks (BoringSSL, LibreSSL, etc) on
Windows (Added in 7.71.0) and on Apple OS when libcurl is built with
Apple SecTrust enabled. (Added in 8.17.0)

4
docs/cmdline-opts/tls-earlydata.md
View file

@ -20,8 +20,8 @@ Example:
Enable the use of TLSv1.3 early data, also known as '0RTT' where possible.
This has security implications for the requests sent that way.
This option can be used when curl is built to use GnuTLS, wolfSSL, quictls and
OpenSSL as a TLS provider (but not BoringSSL, AWS-LC, or Rustls).
This option can be used when curl is built to use GnuTLS, OpenSSL, quictls and
wolfSSL as a TLS provider (but not AWS-LC, BoringSSL, or Rustls).
If a server supports this TLSv1.3 feature, and to what extent, is announced
as part of the TLS "session" sent back to curl. Until curl has seen such

10
docs/libcurl/curl_global_sslset.md
View file

@ -70,11 +70,11 @@ SSL backend names (case-insensitive): GnuTLS, mbedTLS, OpenSSL, Rustls,
Schannel, wolfSSL
The name "OpenSSL" is used for all versions of OpenSSL and its associated
forks/flavors in this function. OpenSSL, BoringSSL, LibreSSL, quictls and
AmiSSL are all supported by libcurl, but in the eyes of curl_global_sslset(3)
they are all called "OpenSSL". They all mostly provide the same API.
curl_version_info(3) can return more specific info about the exact OpenSSL
flavor and version number in use.
forks/flavors in this function. AmiSSL, AWS-LC, BoringSSL, LibreSSL, OpenSSL
and quictls are all supported by libcurl, but in the eyes of
curl_global_sslset(3) they are all called "OpenSSL". They all mostly provide
the same API. curl_version_info(3) can return more specific info about the
exact OpenSSL flavor and version number in use.
# struct

6
docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md
View file

@ -58,7 +58,7 @@ Tells libcurl to not accept "partial" certificate chains, which it otherwise
does by default. This option fails the certificate verification if the chain
ends with an intermediate certificate and not with a root cert.
Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0)
Works with OpenSSL and its forks (BoringSSL, LibreSSL, etc). (Added in 7.68.0)
Works with Schannel if the user specified certificates to verify the peer.
(Added in 8.15.0)
@ -78,9 +78,9 @@ verification. This option is independent of other CA certificate locations set
at run time or build time. Those locations are searched in addition to the
native CA store.
Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
Works with wolfSSL on Windows, Linux (Debian, Fedora, Gentoo, RHEL, Ubuntu),
macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0).
## CURLSSLOPT_AUTO_CLIENT_CERT

12
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
View file

@ -56,7 +56,7 @@ Tells libcurl to not accept "partial" certificate chains, which it otherwise
does by default. This option fails the certificate verification if the chain
ends with an intermediate certificate and not with a root cert.
Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0)
Works with OpenSSL and its forks (BoringSSL, LibreSSL, etc). (Added in 7.68.0)
Works with Schannel if the user specified certificates to verify the peer.
(Added in 8.15.0)
@ -76,9 +76,9 @@ verification. This option is independent of other CA certificate locations set
at run time or build time. Those locations are searched in addition to the
native CA store.
Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
Works with wolfSSL on Windows, Linux (Debian, Fedora, Gentoo, RHEL, Ubuntu),
macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0).
This works with Rustls on Windows, macOS, Android and iOS. On Linux it is
equivalent to using the Mozilla CA certificate bundle. When used with Rustls
@ -98,13 +98,13 @@ could be a privacy violation and unexpected.
## CURLSSLOPT_EARLYDATA
Tell libcurl to try sending application data as TLS1.3 early data. This option
is supported for GnuTLS, wolfSSL, quictls and OpenSSL (but not BoringSSL
or AWS-LC). It works on TCP and QUIC connections using ngtcp2.
is supported for GnuTLS, OpenSSL, quictls and wolfSSL (but not AWS-LC or
BoringSSL). It works on TCP and QUIC connections using ngtcp2.
This option works on a best effort basis,
in cases when it was not possible to send early data the request is resent
normally post-handshake.
This option does not work when using QUIC.
(Added in 8.11.0 for GnuTLS and 8.13.0 for wolfSSL, quictls and OpenSSL)
(Added in 8.11.0 for GnuTLS and 8.13.0 for OpenSSL, quictls and wolfSSL)
# DEFAULT

2
lib/dllmain.c
View file

@ -31,7 +31,7 @@
#if defined(_WIN32) && !defined(CURL_STATICLIB)
#if defined(USE_OPENSSL) && \
!defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && \
!defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_IS_BORINGSSL) && \
!defined(LIBRESSL_VERSION_NUMBER)
#define PREVENT_OPENSSL_MEMLEAK
#endif

2
lib/ldap.c
View file

@ -45,7 +45,7 @@
#ifdef USE_WIN32_LDAP /* Use Windows LDAP implementation. */
# include <winldap.h>
/* Undefine indirect <wincrypt.h> symbols conflicting with BoringSSL/AWS-LC. */
/* Undefine indirect <wincrypt.h> symbols conflicting with AWS-LC/BoringSSL. */
# undef X509_NAME
# undef X509_EXTENSIONS
# undef PKCS7_ISSUER_AND_SERIAL

6
lib/vquic/curl_ngtcp2.c
View file

@ -29,7 +29,7 @@
#ifdef USE_OPENSSL
#include <openssl/err.h>
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
#include <ngtcp2/ngtcp2_crypto_boringssl.h>
#elif defined(OPENSSL_QUIC_API2)
#include <ngtcp2/ngtcp2_crypto_ossl.h>
@ -2484,7 +2484,7 @@ static CURLcode cf_ngtcp2_tls_ctx_setup(struct Curl_cfilter *cf,
struct curl_tls_ctx *ctx = user_data;
#ifdef USE_OPENSSL
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
if(ngtcp2_crypto_boringssl_configure_client_context(ctx->ossl.ssl_ctx)
!= 0) {
failf(data, "ngtcp2_crypto_boringssl_configure_client_context failed");
@ -2497,7 +2497,7 @@ static CURLcode cf_ngtcp2_tls_ctx_setup(struct Curl_cfilter *cf,
failf(data, "ngtcp2_crypto_quictls_configure_client_context failed");
return CURLE_FAILED_INIT;
}
#endif /* !OPENSSL_IS_BORINGSSL && !OPENSSL_IS_AWSLC */
#endif /* !OPENSSL_IS_AWSLC && !OPENSSL_IS_BORINGSSL */
if(Curl_ssl_scache_use(cf, data)) {
/* Enable the session cache because it is a prerequisite for the
* "new session" callback. Use the "external storage" mode to prevent

16
lib/vtls/openssl.c
View file

@ -127,9 +127,9 @@
#endif
/* Whether SSL_CTX_set_ciphersuites is available.
* OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
* BoringSSL: no
* LibreSSL: supported since 3.4.1 (released 2021-10-14)
* OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
*/
#if (!defined(LIBRESSL_VERSION_NUMBER) || \
(defined(LIBRESSL_VERSION_NUMBER) && \
@ -142,9 +142,9 @@
#endif
/* Whether SSL_CTX_set1_sigalgs_list is available
* OpenSSL: supported since 1.0.2 (commit 0b362de5f575)
* BoringSSL: supported since 0.20240913.0 (commit 826ce15)
* LibreSSL: no
* OpenSSL: supported since 1.0.2 (commit 0b362de5f575)
*/
#ifndef LIBRESSL_VERSION_NUMBER
#define HAVE_SSL_CTX_SET1_SIGALGS
@ -152,10 +152,10 @@
#ifdef LIBRESSL_VERSION_NUMBER
#define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL)
#define OSSL_PACKAGE "BoringSSL"
#elif defined(OPENSSL_IS_AWSLC)
#define OSSL_PACKAGE "AWS-LC"
#elif defined(OPENSSL_IS_BORINGSSL)
#define OSSL_PACKAGE "BoringSSL"
#elif defined(USE_NGTCP2) && defined(USE_NGHTTP3) && \
!defined(OPENSSL_QUIC_API2)
#define OSSL_PACKAGE "quictls"
@ -4219,7 +4219,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
}
#ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
/* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
OpenSSL version above v1.1.1, not AWS-LC, BoringSSL, or LibreSSL */
else if((lib == ERR_LIB_SSL) &&
(reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
/* If client certificate is required, communicate the
@ -5408,6 +5408,9 @@ size_t Curl_ossl_version(char *buffer, size_t size)
*p = '_';
}
return count;
#elif defined(OPENSSL_IS_AWSLC)
return curl_msnprintf(buffer, size, "%s/%s",
OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING);
#elif defined(OPENSSL_IS_BORINGSSL)
#ifdef CURL_BORINGSSL_VERSION
return curl_msnprintf(buffer, size, "%s/%s",
@ -5415,9 +5418,6 @@ size_t Curl_ossl_version(char *buffer, size_t size)
#else
return curl_msnprintf(buffer, size, OSSL_PACKAGE);
#endif
#elif defined(OPENSSL_IS_AWSLC)
return curl_msnprintf(buffer, size, "%s/%s",
OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING);
#else /* OpenSSL 3+ */
return curl_msnprintf(buffer, size, "%s/%s",
OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));

6
lib/vtls/openssl.h
View file

@ -33,7 +33,7 @@
* <winldap.h>, <iphlpapi.h>, or something else, <wincrypt.h> does this:
* #define X509_NAME ((LPCSTR)7)
*
* In BoringSSL/AWC-LC's <openssl/base.h> there is:
* In AWC-LC/BoringSSL's <openssl/base.h> there is:
* typedef struct X509_name_st X509_NAME;
* etc.
*
@ -74,7 +74,7 @@
#define HAVE_OPENSSL3 /* non-fork OpenSSL 3.x or later */
#endif
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
#define HAVE_BORINGSSL_LIKE
#endif
@ -86,9 +86,9 @@
/*
* Whether SSL_CTX_set_keylog_callback is available.
* OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
* BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
* LibreSSL: not supported. 3.5.0+ has a stub function that does nothing.
* OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
*/
#ifndef LIBRESSL_VERSION_NUMBER
#define HAVE_KEYLOG_CALLBACK

34
m4/curl-openssl.m4
View file

@ -231,23 +231,6 @@ if test "x$OPT_OPENSSL" != "xno"; then
if test "$OPENSSL_ENABLED" = "1"; then
dnl These can only exist if OpenSSL exists
AC_MSG_CHECKING([for BoringSSL])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[
#include <openssl/base.h>
]],[[
#ifndef OPENSSL_IS_BORINGSSL
#error not boringssl
#endif
]])
],[
AC_MSG_RESULT([yes])
ssl_msg="BoringSSL"
OPENSSL_IS_BORINGSSL=1
],[
AC_MSG_RESULT([no])
])
AC_MSG_CHECKING([for AWS-LC])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[
@ -265,6 +248,23 @@ if test "x$OPT_OPENSSL" != "xno"; then
AC_MSG_RESULT([no])
])
AC_MSG_CHECKING([for BoringSSL])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[
#include <openssl/base.h>
]],[[
#ifndef OPENSSL_IS_BORINGSSL
#error not BoringSSL
#endif
]])
],[
AC_MSG_RESULT([yes])
ssl_msg="BoringSSL"
OPENSSL_IS_BORINGSSL=1
],[
AC_MSG_RESULT([no])
])
AC_MSG_CHECKING([for LibreSSL])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[

2
tests/libtest/lib1587.c
View file

@ -32,7 +32,7 @@
#include <vtls/openssl.h>
#ifdef HAVE_BORINGSSL_LIKE
/* BoringSSL and AWS-LC */
/* AWS-LC and BoringSSL */
typedef uint32_t opt1587;
#else
typedef uint64_t opt1587;

2
tests/runtests.pl
View file

@ -589,7 +589,7 @@ sub checksystemfeatures {
$feature{"wolfssl"} = 1;
$feature{"SSLpinning"} = 1;
}
elsif($libcurl =~ /\s(BoringSSL|AWS-LC)\b/i) {
elsif($libcurl =~ /\s(AWS-LC|BoringSSL)\b/i) {
# OpenSSL compatible API
$feature{"OpenSSL"} = 1;
$feature{"SSLpinning"} = 1;