Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprioritize SecureTransport on macOS #13547

Closed
wants to merge 1 commit into from
Closed

Deprioritize SecureTransport on macOS #13547

wants to merge 1 commit into from
+5 −5

Conversation

MonkeybreadSoftware
Copy link
Contributor

@MonkeybreadSoftware MonkeybreadSoftware commented May 7, 2024
edited
Loading

Moved SecureTransport behind OpenSSL, so we can build CURL with both and prefer using OpenSSL over SecureChannel. Our users still can opt-in to use SecureTransport, but a curl build with both will default to OpenSSL.

@MonkeybreadSoftware
Deprioritize SecureChannel

Verified

This commit was signed with the committer’s verified signature.
vszakats Viktor Szakats
GPG key ID: B5ABD165E2AEF201
Verified
Learn about vigilant mode
Loading
Loading status checks…
44f4e11 
Moved SecureChannnel behind OpenSSL, so we can build CURL with both and prefer using OpenSSL over SecureChannel.
Our users still can opt-in to use secure channel, but a curl build with both will default to OpenSSL.
@github-actions github-actions bot added the TLS label May 7, 2024
@MonkeybreadSoftware MonkeybreadSoftware mentioned this pull request May 7, 2024
Closed
@danielgustafsson
Copy link
Member

s/Channel/Transport/ =)

@MonkeybreadSoftware MonkeybreadSoftware changed the title Deprioritize SecureChannel Deprioritize SecureTransport on macOS May 7, 2024
@Neustradamus
Copy link

To follow this important PR!

@jay
Copy link
Member

jay commented May 7, 2024

To follow this important PR!

To follow a thread click the subscribe button. Please don't post a reply to every thread you want to follow just to get subscribed.

subscribe

@Neustradamus
Copy link

@jay: I know but I do not received emails if I do not publish a comment.

@jay
Copy link
Member

jay commented May 7, 2024

I know but I do not received emails if I do not publish a comment.

If the subscribe button is not working for you please contact github support.

@jay
Copy link
Member

jay commented May 8, 2024
edited
Loading

I don't see why we would change the order for everyone just to meet your use requirements. We have --with-default-ssl-backend=openssl for configure which maps to CURL_DEFAULT_SSL_BACKEND. We have -DCURL_DEFAULT_SSL_BACKEND=openssl for cmake which maps to same.

For other build systems you'd probably have to pass it as a define to the compiler because there aren't separate options. For example for winbuild with openssl and schannel to use schannel as a default you'd have to pass it like:

nmake /f Makefile.vc CC="cl /DCURL_DEFAULT_SSL_BACKEND=\"\"\"\"schannel\"\"\"\"" mode=dll VC=[your vc version number, eg 14] ENABLE_SCHANNEL=yes WITH_SSL=dll SSL_PATH=[your openssl path]

@jay jay added the build label May 8, 2024
@MonkeybreadSoftware
Copy link
Contributor Author

Thank you. I didn't know these switches and I can add them to my build scripts.

The patch here is basically to change the default order in case you don't specify this switch to deprioritize SecureTransport. SecureChannel for Windows is already lower in the list.

@vszakats
Copy link
Member

vszakats commented May 9, 2024
edited
Loading

I agree with this, remembering this caused some pain (curl/curl-for-win@fba3391 curl/curl-for-win@55ff9b9) when adding macOS support to curl-for-win. Because on Windows, Schannel didn't take priority, so the macOS behaviour was unexpected. One more reason to deprioritize SecureTransport is that it's deprecated (by Apple) and also without TLS 1.3 support. Likely most users are better served by OpenSSL or its forks than by SecureTransport, and this will only become truer in the future.

edit: SecureTransport still has the OS-native certificate bundle support at its advantage IIRC. So perhaps doing this after this has been implemented with OpenSSL/forks, might be the safest road?

@vszakats vszakats added the appleOS specific to an Apple operating system label May 9, 2024
@bagder bagder closed this in 810933d Jun 2, 2024
@bagder
Copy link
Member

bagder commented Jun 2, 2024

Thanks!

vszakats added a commit to curl/curl-for-win that referenced this pull request Jun 2, 2024
@vszakats
curl.sh: drop SecureTransport hack with curl 8.9.0 [ci skip]
23b9c8e 
curl/curl@810933d
curl/curl#13547
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
appleOS specific to an Apple operating system build TLS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@MonkeybreadSoftware @danielgustafsson @Neustradamus @jay @vszakats @bagder