LibreSSL support

Discussion:

LibreSSL support

Jan Stary

2018-09-13 10:31:18 UTC

Dear all,

what is state of curl's LibreSSL support? The comparison page
https://curl.haxx.se/docs/ssl-compared.html does not even mention LibreSSL.

For instance, the MacPort of curl
https://github.com/macports/macports-ports/tree/master/net/curl
uses a patch (mostly dancing with LIBRESSL_VERSION_NUMBER and OPENSSL_VERSION)
to make curl compile on MacOS. Similarly for OpenBSD,
http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/curl/

Jan

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etique

Daniel Stenberg

2018-09-13 11:46:55 UTC

Permalink

Post by Jan Stary
what is state of curl's LibreSSL support? The comparison page
https://curl.haxx.se/docs/ssl-compared.html does not even mention LibreSSL.

Check again. It says:

[1] = Mostly the same feature set is also provided by LibreSSL and BoringSSL

Post by Jan Stary
For instance, the MacPort of curl
https://github.com/macports/macports-ports/tree/master/net/curl uses a patch
(mostly dancing with LIBRESSL_VERSION_NUMBER and OPENSSL_VERSION) to make
curl compile on MacOS.

Curious. We have a travis job that makes sure that *every single merge* we do
also build and test fine with libressl. On mac even.

Nobody has presented any patch to us to improve our libressl support. I have
not seen that patch before. It looks like it corrects the libressl version
number, not actually fixing a build problem?

Post by Jan Stary
Similarly for OpenBSD,
http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/curl/

I must be blind. I see no libressl patch there?

--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://cu

Daniel Stenberg

2018-09-13 14:15:07 UTC

Permalink

It looks like it corrects the libressl version number, not actually fixing a
build problem?

It reminded me and I posted a PR to improve how libcurl shows the libressl
version number: https://github.com/curl/curl/pull/2989

--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail

Jan Stary

2018-09-17 13:11:21 UTC

Permalink

Post by Daniel Stenberg

Post by Jan Stary
what is state of curl's LibreSSL support? The comparison page
https://curl.haxx.se/docs/ssl-compared.html does not even mention LibreSSL.

[1] = Mostly the same feature set is also provided by LibreSSL and BoringSSL

Sorry, I missed that.

The statement is a bit misleading though, right?
For instance, LibreSSL deliberately dropped SSLv2 and SSLv3.

Post by Daniel Stenberg

Post by Jan Stary
For instance, the MacPort of curl
https://github.com/macports/macports-ports/tree/master/net/curl uses a
patch (mostly dancing with LIBRESSL_VERSION_NUMBER and OPENSSL_VERSION)
to make curl compile on MacOS.

Curious. We have a travis job that makes sure that *every single merge* we
do also build and test fine with libressl. On mac even.

Yes. The current git builds without problems on 10.13.6,
using /usr/lib/libssl.dylib, which is LibreSSL's libssl.35.dylib.

The reason the MacPort needs the patch is probably that MacPorts
uses the old LibreSSL 2.5.5, when a patch like this was still needed.

Post by Daniel Stenberg
Nobody has presented any patch to us to improve our libressl support. I have
not seen that patch before. It looks like it corrects the libressl version
number, not actually fixing a build problem?

Does curl make decisions in the code
based on the SSL implementation version?
Or does this merely display the version?

Post by Daniel Stenberg

Post by Jan Stary
Similarly for OpenBSD,
http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/curl/

I must be blind. I see no libressl patch there?

http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/curl/patches/patch-lib_vtls_openssl_c

Jan

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiq

Daniel Stenberg

2018-09-17 14:34:41 UTC

Permalink

Post by Jan Stary

Post by Daniel Stenberg
[1] = Mostly the same feature set is also provided by LibreSSL and BoringSSL

Sorry, I missed that.
The statement is a bit misleading though, right? For instance, LibreSSL
deliberately dropped SSLv2 and SSLv3.

I don't think it is actually *misleading* since it says "mostly the same". I
think that's accurate. It is a bit unspecific though, like about in what
particular areas the three forks differ. I'm not even sure myself so I've not
split them up.

The web site contents (like this SSL comparison table) are also in git and we
welcome pull-requests there too. See the table at
https://github.com/curl/curl-www/blob/master/docs/_ssl-compared.html

SSLv2 and SSLv3 are disabled by default in OpenSSL and BoringSSL as well so in
reality I doubt that particular detail matters much to most users.

Post by Jan Stary
The reason the MacPort needs the patch is probably that MacPorts uses the
old LibreSSL 2.5.5, when a patch like this was still needed.

If you say so. Still nobody has presented that or a similar patch to us, which
in my mind means they don't truly think it should be used by us. In the mean
time I landed my take on the libressl version number fix.

Post by Jan Stary
Does curl make decisions in the code based on the SSL implementation
version?

The code makes build-time decisions *mostly* based on OPENSSL_VERSION_NUMBER,
but also on LIBRESSL_VERSION_NUMBER since they've gone separate ways.

Post by Jan Stary
Or does this merely display the version?

OpenSSL_version_num() is used to display the version.

Post by Jan Stary

Post by Daniel Stenberg
I must be blind. I see no libressl patch there?

http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/curl/patches/patch-lib_vtls_openssl_c

Thanks. I believe that is now rendered obsolete.

--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.ht