From: Viktor Szakats Date: Fri, 3 Oct 2025 14:40:28 +0000 (+0200) Subject: GHA: drop quictls 3.3.0 builds in favor of openssl 3.5+ X-Git-Tag: rc-8_17_0-1~141 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c96bf36557ea2302e4cb838ee1e4bb9827fecee7;p=thirdparty%2Fcurl.git GHA: drop quictls 3.3.0 builds in favor of openssl 3.5+ - http3-linux: move local nghttpx (nghttp2) build to openssl (from quictls). Also tried LibreSSL, but it made some HTTP/2 tests fails. - http3-linux: drop quictls ngtcp2 build. - http3-linux: build local openssl with `no-deprecated`. (previously tested in the quictls local build.) - http3-linux: explicitly disable LDAP in cmake openssl jobs. cmake builds auto-detect OpenLDAP (autotools don't), and when enabled, linking curl fails because system `libsasl.so` requires MD5 openssl functions, which are missing from openssl no-deprecated builds. - macos: move options tested in quictls jobs to other ones. - linux: drop unused quictls local build. (it was used for msh3.) Follow-up to 91138b014d960d2ef6ce9cd0ca237d0220b2458d #17729 - renovate: drop quictls bump detection. Closes #18833 --- diff --git a/.github/workflows/http3-linux.yml b/.github/workflows/http3-linux.yml index c14a640097..3d0fec9efb 100644 --- a/.github/workflows/http3-linux.yml +++ b/.github/workflows/http3-linux.yml @@ -41,8 +41,6 @@ env: CURL_CI: github # handled in renovate.json OPENSSL_VERSION: 3.6.0 - # handled in renovate.json - QUICTLS_VERSION: 3.3.0 # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com LIBRESSL_VERSION: 4.1.1 # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com @@ -70,12 +68,12 @@ jobs: steps: - name: 'cache openssl' uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - id: cache-openssl-http3 + id: cache-openssl-http3-no-deprecated env: - cache-name: cache-openssl-http3 + cache-name: cache-openssl-http3-no-deprecated with: path: ~/openssl/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }} + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}-no-deprecated - name: 'cache libressl' uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -104,15 +102,6 @@ jobs: path: ~/boringssl/build key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.BORINGSSL_VERSION }} - - name: 'cache quictls' - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - id: cache-quictls-no-deprecated - env: - cache-name: cache-quictls-no-deprecated - with: - path: ~/quictls/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.QUICTLS_VERSION }}-quic1 - - name: 'cache gnutls' uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 id: cache-gnutls @@ -147,7 +136,7 @@ jobs: cache-name: cache-ngtcp2 with: path: ~/ngtcp2/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.QUICTLS_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }} + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }} - name: 'cache ngtcp2 boringssl' uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -165,15 +154,14 @@ jobs: cache-name: cache-nghttp2 with: path: ~/nghttp2/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGHTTP2_VERSION }}-${{ env.QUICTLS_VERSION }}-${{ env.NGTCP2_VERSION }}-${{ env.NGHTTP3_VERSION }} + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGHTTP2_VERSION }}-${{ env.OPENSSL_VERSION }}-${{ env.NGTCP2_VERSION }}-${{ env.NGHTTP3_VERSION }} - id: settings if: >- - ${{ steps.cache-openssl-http3.outputs.cache-hit != 'true' || + ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' || steps.cache-libressl.outputs.cache-hit != 'true' || steps.cache-awslc.outputs.cache-hit != 'true' || steps.cache-boringssl.outputs.cache-hit != 'true' || - steps.cache-quictls-no-deprecated.outputs.cache-hit != 'true' || steps.cache-gnutls.outputs.cache-hit != 'true' || steps.cache-wolfssl.outputs.cache-hit != 'true' || steps.cache-nghttp3.outputs.cache-hit != 'true' || @@ -199,12 +187,12 @@ jobs: echo 'CXX=g++-12' >> "$GITHUB_ENV" - name: 'build openssl' - if: ${{ steps.cache-openssl-http3.outputs.cache-hit != 'true' }} + if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }} run: | cd ~ git clone --quiet --depth=1 -b "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl cd openssl - ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests + ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated make make -j1 install_sw @@ -241,16 +229,6 @@ jobs: cmake --build . cmake --install . - - name: 'build quictls' - if: ${{ steps.cache-quictls-no-deprecated.outputs.cache-hit != 'true' }} - run: | - cd ~ - git clone --quiet --depth=1 -b "openssl-${QUICTLS_VERSION}-quic1" https://github.com/quictls/openssl quictls - cd quictls - ./config no-deprecated --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests - make - make -j1 install_sw - - name: 'build gnutls' if: ${{ steps.cache-gnutls.outputs.cache-hit != 'true' }} run: | @@ -292,7 +270,7 @@ jobs: - name: 'build ngtcp2' if: ${{ steps.cache-ngtcp2.outputs.cache-hit != 'true' }} - # building 3 times to get crypto libs for ossl, libressl, quictls and awslc installed + # building twice to get crypto libs for ossl, libressl and awslc installed run: | cd ~ git clone --quiet --depth=1 -b "v${NGTCP2_VERSION}" https://github.com/ngtcp2/ngtcp2 @@ -302,10 +280,6 @@ jobs: PKG_CONFIG_PATH=/home/runner/libressl/build/lib/pkgconfig --enable-lib-only --with-openssl make install make clean - ./configure --disable-dependency-tracking --prefix="$PWD"/build \ - PKG_CONFIG_PATH=/home/runner/quictls/build/lib/pkgconfig --enable-lib-only --with-openssl - make install - make clean ./configure --disable-dependency-tracking --prefix="$PWD"/build \ PKG_CONFIG_PATH=/home/runner/openssl/build/lib/pkgconfig:/home/runner/gnutls/build/lib/pkgconfig:/home/runner/wolfssl/build/lib/pkgconfig \ --enable-lib-only --with-openssl --with-gnutls --with-wolfssl --with-boringssl \ @@ -337,8 +311,8 @@ jobs: # required (for nghttpx application): libc-ares-dev libev-dev zlib1g-dev # optional (for nghttpx application): libbrotli-dev ./configure --disable-dependency-tracking --prefix="$PWD"/build \ - PKG_CONFIG_PATH=/home/runner/quictls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig \ - LDFLAGS=-Wl,-rpath,/home/runner/quictls/build/lib \ + PKG_CONFIG_PATH=/home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig \ + LDFLAGS=-Wl,-rpath,/home/runner/openssl/build/lib \ --with-libbrotlienc --with-libbrotlidec \ --enable-app --enable-http3 make install @@ -367,8 +341,9 @@ jobs: install_steps: skipall PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/openssl/build - -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON + -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON + -DCURL_DISABLE_LDAP=ON + -DCURL_DISABLE_NTLM=ON -DCMAKE_UNITY_BUILD=ON - name: 'libressl' @@ -416,21 +391,6 @@ jobs: -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON -DCMAKE_UNITY_BUILD=ON - - name: 'quictls' - install_steps: skipall - PKG_CONFIG_PATH: /home/runner/quictls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig - configure: >- - LDFLAGS=-Wl,-rpath,/home/runner/quictls/build/lib - --with-ngtcp2 --disable-ntlm - --with-openssl=/home/runner/quictls/build --enable-ssls-export - --enable-unity - - - name: 'quictls' - PKG_CONFIG_PATH: /home/runner/quictls/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig - generate: >- - -DOPENSSL_ROOT_DIR=/home/runner/quictls/build - -DUSE_NGTCP2=ON -DCURL_DISABLE_NTLM=ON - - name: 'gnutls' install_packages: nettle-dev libp11-kit-dev install_steps: skipall @@ -476,6 +436,7 @@ jobs: PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig generate: >- -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_OPENSSL_QUIC=ON + -DCURL_DISABLE_LDAP=ON -DCURL_DISABLE_NTLM=ON -DCMAKE_UNITY_BUILD=ON @@ -518,12 +479,12 @@ jobs: - name: 'cache openssl' if: ${{ matrix.build.name == 'openssl' || matrix.build.name == 'openssl-quic' }} uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - id: cache-openssl-http3 + id: cache-openssl-http3-no-deprecated env: - cache-name: cache-openssl-http3 + cache-name: cache-openssl-http3-no-deprecated with: path: ~/openssl/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }} + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}-no-deprecated fail-on-cache-miss: true - name: 'cache libressl' @@ -556,16 +517,6 @@ jobs: key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.BORINGSSL_VERSION }} fail-on-cache-miss: true - - name: 'cache quictls' - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - id: cache-quictls-no-deprecated - env: - cache-name: cache-quictls-no-deprecated - with: - path: ~/quictls/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.QUICTLS_VERSION }}-quic1 - fail-on-cache-miss: true - - name: 'cache gnutls' if: ${{ matrix.build.name == 'gnutls' }} uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -605,7 +556,7 @@ jobs: cache-name: cache-ngtcp2 with: path: ~/ngtcp2/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.QUICTLS_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }} + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }} fail-on-cache-miss: true - name: 'cache ngtcp2 boringssl' @@ -625,7 +576,7 @@ jobs: cache-name: cache-nghttp2 with: path: ~/nghttp2/build - key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGHTTP2_VERSION }}-${{ env.QUICTLS_VERSION }}-${{ env.NGTCP2_VERSION }}-${{ env.NGHTTP3_VERSION }} + key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGHTTP2_VERSION }}-${{ env.OPENSSL_VERSION }}-${{ env.NGTCP2_VERSION }}-${{ env.NGHTTP3_VERSION }} fail-on-cache-miss: true - name: 'cache quiche' diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 5b2b5e711c..d78789b8a1 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -49,8 +49,6 @@ env: BORINGSSL_VERSION: 0.20251002.0 # handled in renovate.json OPENSSL_VERSION: 3.6.0 - # handled in renovate.json - QUICTLS_VERSION: 3.3.0 # renovate: datasource=github-tags depName=rustls/rustls-ffi versioning=semver registryUrl=https://github.com RUSTLS_VERSION: 0.15.0 # handled in renovate.json @@ -495,25 +493,6 @@ jobs: make make -j1 install_sw - - name: 'cache quictls' - if: ${{ contains(matrix.build.install_steps, 'quictls') }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - id: cache-quictls - env: - cache-name: cache-quictls - with: - path: ~/quictls - key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.QUICTLS_VERSION }}-quic1 - - - name: 'build quictls' - if: ${{ contains(matrix.build.install_steps, 'quictls') && steps.cache-quictls.outputs.cache-hit != 'true' }} - run: | - git clone --quiet --depth=1 -b "openssl-${QUICTLS_VERSION}-quic1" https://github.com/quictls/openssl - cd openssl - ./config --prefix=/home/runner/quictls --libdir=lib no-makedepend no-apps no-docs no-tests - make - make -j1 install_sw - - name: 'cache awslc' if: ${{ contains(matrix.build.install_steps, 'awslc') }} uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 87fc53d334..c32b71439c 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -255,16 +255,17 @@ jobs: --without-nghttp2 --disable-ntlm --without-ssl --without-zlib --without-zstd macos-version-min: '10.15' # Catalina (2019) - - name: 'LibreSSL +examples' + - name: 'LibreSSL !ldap +examples' compiler: clang install: libressl install_steps: pytest - configure: --enable-debug --with-openssl=/opt/homebrew/opt/libressl - - name: 'OpenSSL' + configure: --enable-debug --with-openssl=/opt/homebrew/opt/libressl --disable-ldap + - name: 'OpenSSL 10.15' compiler: clang install: libnghttp3 libngtcp2 install_steps: pytest configure: --enable-debug --with-openssl=/opt/homebrew/opt/openssl --with-ngtcp2 + macos-version-min: '10.15' - name: 'OpenSSL SecTrust' compiler: clang install: libnghttp3 libngtcp2 @@ -274,11 +275,6 @@ jobs: compiler: clang configure: --enable-debug --with-openssl=/opt/homebrew/opt/openssl tflags: --test-event - - name: 'quictls libssh2 !ldap 10.15' - compiler: clang - install: quictls - configure: --enable-debug --disable-ldap --with-openssl=/opt/homebrew/opt/quictls LDFLAGS=-L/opt/homebrew/opt/quictls/lib - macos-version-min: '10.15' # cmake - name: 'OpenSSL gsasl rtmp AppleIDN SecTrust' install: libnghttp3 libngtcp2 gsasl rtmpdump @@ -306,9 +302,6 @@ jobs: -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy - - name: 'quictls +static libssh +examples' - install: quictls libssh - generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/quictls -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON - name: 'LibreSSL openldap heimdal c-ares +examples' install: libressl heimdal openldap generate: -DENABLE_DEBUG=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib @@ -370,7 +363,7 @@ jobs: while [[ $? == 0 ]]; do for i in 1 2 3; do if brew update && brew bundle install --file /tmp/Brewfile; then break 2; else echo Error: wait to try again; sleep 10; fi; done; false Too many retries; done - name: 'brew unlink openssl' - if: ${{ contains(matrix.build.install, 'aws-lc') || contains(matrix.build.install, 'libressl') || contains(matrix.build.install, 'quictls') }} + if: ${{ contains(matrix.build.install, 'aws-lc') || contains(matrix.build.install, 'libressl') }} run: | if [ -d /opt/homebrew/include/openssl ]; then brew unlink openssl diff --git a/renovate.json b/renovate.json index 1bc0309f3a..102bf42521 100644 --- a/renovate.json +++ b/renovate.json @@ -102,20 +102,6 @@ "versioningTemplate": "semver", "extractVersionTemplate": "^openssl-(?.*)$" }, - { - "customType": "regex", - "managerFilePatterns": [ - "/^.github/workflows/linux.yml$/", - "/^.github/workflows/http3-linux.yml$/" - ], - "matchStrings": [ - "QUICTLS_VERSION: (?.*)\\s" - ], - "datasourceTemplate": "github-tags", - "depNameTemplate": "quictls/openssl", - "versioningTemplate": "semver", - "extractVersionTemplate": "^openssl-(?.*)-quic1$" - }, { "customType": "regex", "managerFilePatterns": [