CURL_CI: github
CURL_TEST_MIN: 1850
DO_NOT_TRACK: '1'
- # renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?<version>.+)$ registryUrl=https://github.com
- OPENSSL_VERSION: 4.0.0
- # manually bumped
- OPENSSL_PREV_VERSION: 3.6.2
- OPENSSL_PREV_SHA256: aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f
- # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
- LIBRESSL_VERSION: 4.3.1
# renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
AWSLC_VERSION: 1.73.0
# renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
NETTLE_VERSION: 3.10.2
# renovate: datasource=github-tags depName=gnutls/gnutls versioning=semver extractVersion=^nettle_?(?<version>.+)_release_.+$ registryUrl=https://github.com
GNUTLS_VERSION: 3.8.11
+ # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
+ LIBRESSL_VERSION: 4.3.1
+ # renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?<version>.+)$ registryUrl=https://github.com
+ OPENSSL_VERSION: 4.0.0
+ # manually bumped
+ OPENSSL_PREV_VERSION: 3.6.2
+ OPENSSL_PREV_SHA256: aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f
+ # renovate: datasource=github-tags depName=cloudflare/quiche versioning=semver registryUrl=https://github.com
+ QUICHE_VERSION: 0.24.7
# renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
WOLFSSL_VERSION: 5.9.1
# renovate: datasource=github-tags depName=ngtcp2/nghttp3 versioning=semver registryUrl=https://github.com
NGTCP2_VERSION: 1.22.1
# renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com
NGHTTP2_VERSION: 1.69.0
- # renovate: datasource=github-tags depName=cloudflare/quiche versioning=semver registryUrl=https://github.com
- QUICHE_VERSION: 0.24.7
jobs:
build-cache:
runs-on: ubuntu-latest
steps:
- - name: 'cache openssl'
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-openssl-http3-no-deprecated
- env:
- cache-name: cache-openssl-http3-no-deprecated
- with:
- path: ~/openssl/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
-
- - name: 'cache openssl-prev'
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-openssl-prev-http3-no-deprecated
- env:
- cache-name: cache-openssl-prev-http3-no-deprecated
- with:
- path: ~/openssl-prev/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
-
- - name: 'cache libressl'
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-libressl
- env:
- cache-name: cache-libressl
- with:
- path: ~/libressl/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
-
- name: 'cache awslc'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-awslc
path: ~/gnutls/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.GNUTLS_VERSION }}-${{ env.NETTLE_VERSION }}
+ - name: 'cache libressl'
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-libressl
+ env:
+ cache-name: cache-libressl
+ with:
+ path: ~/libressl/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
+
+ - name: 'cache openssl'
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-openssl-http3-no-deprecated
+ env:
+ cache-name: cache-openssl-http3-no-deprecated
+ with:
+ path: ~/openssl/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
+
+ - name: 'cache openssl-prev'
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-openssl-prev-http3-no-deprecated
+ env:
+ cache-name: cache-openssl-prev-http3-no-deprecated
+ with:
+ path: ~/openssl-prev/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
+
- name: 'cache wolfssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-wolfssl
key: "${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-\
${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}"
- - name: 'cache ngtcp2 openssl-prev'
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-ngtcp2-openssl-prev
- env:
- cache-name: cache-ngtcp2-openssl-prev
- with:
- path: ~/ngtcp2-openssl-prev/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
-
- name: 'cache ngtcp2 boringssl'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-ngtcp2-boringssl
path: ~/ngtcp2-boringssl/build
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }}
+ - name: 'cache ngtcp2 openssl-prev'
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-ngtcp2-openssl-prev
+ env:
+ cache-name: cache-ngtcp2-openssl-prev
+ with:
+ path: ~/ngtcp2-openssl-prev/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
+
- name: 'cache nghttp2'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-nghttp2
- id: settings
if: >-
- ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' ||
- steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' ||
- steps.cache-libressl.outputs.cache-hit != 'true' ||
- steps.cache-awslc.outputs.cache-hit != 'true' ||
+ ${{ steps.cache-awslc.outputs.cache-hit != 'true' ||
steps.cache-boringssl.outputs.cache-hit != 'true' ||
steps.cache-nettle.outputs.cache-hit != 'true' ||
steps.cache-gnutls.outputs.cache-hit != 'true' ||
+ steps.cache-libressl.outputs.cache-hit != 'true' ||
+ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' ||
+ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' ||
steps.cache-wolfssl.outputs.cache-hit != 'true' ||
steps.cache-nghttp3.outputs.cache-hit != 'true' ||
- steps.cache-ngtcp2.outputs.cache-hit != 'true' ||
- steps.cache-ngtcp2-openssl-prev.outputs.cache-hit != 'true' ||
steps.cache-ngtcp2-boringssl.outputs.cache-hit != 'true' ||
+ steps.cache-ngtcp2-openssl-prev.outputs.cache-hit != 'true' ||
+ steps.cache-ngtcp2.outputs.cache-hit != 'true' ||
steps.cache-nghttp2.outputs.cache-hit != 'true' }}
run: echo 'needs-build=true' >> "$GITHUB_OUTPUT"
echo 'CC=gcc-12' >> "$GITHUB_ENV"
echo 'CXX=g++-12' >> "$GITHUB_ENV"
- - name: 'build openssl'
- if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }}
- run: |
- cd ~
- git clone --quiet --depth 1 --branch "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl
- cd openssl
- ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
- make
- make -j1 install_sw
-
- - name: 'build openssl-prev'
- if: ${{ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' }}
- run: |
- cd ~
- curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
- --location "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_PREV_VERSION}/openssl-${OPENSSL_PREV_VERSION}.tar.gz" --output pkg.bin
- sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${OPENSSL_PREV_SHA256}" && tar -xzf pkg.bin && rm -f pkg.bin
- cd "openssl-${OPENSSL_PREV_VERSION}"
- ./config --prefix=/home/runner/openssl-prev/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
- make
- make -j1 install_sw
-
- - name: 'build libressl'
- if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }}
- run: |
- cd ~
- curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
- --location "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" --output pkg.bin
- sha256sum pkg.bin && tar -xzf pkg.bin && rm -f pkg.bin
- cd "libressl-${LIBRESSL_VERSION}"
- cmake -B . -G Ninja -DLIBRESSL_APPS=OFF -DLIBRESSL_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/home/runner/libressl/build
- cmake --build .
- cmake --install .
-
- name: 'build awslc'
if: ${{ steps.cache-awslc.outputs.cache-hit != 'true' }}
run: |
--disable-guile --disable-doc --disable-tests --disable-tools
make install
+ - name: 'build libressl'
+ if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }}
+ run: |
+ cd ~
+ curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
+ --location "https://github.com/libressl/portable/releases/download/v${LIBRESSL_VERSION}/libressl-${LIBRESSL_VERSION}.tar.gz" --output pkg.bin
+ sha256sum pkg.bin && tar -xzf pkg.bin && rm -f pkg.bin
+ cd "libressl-${LIBRESSL_VERSION}"
+ cmake -B . -G Ninja -DLIBRESSL_APPS=OFF -DLIBRESSL_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/home/runner/libressl/build
+ cmake --build .
+ cmake --install .
+
+ - name: 'build openssl'
+ if: ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' }}
+ run: |
+ cd ~
+ git clone --quiet --depth 1 --branch "openssl-${OPENSSL_VERSION}" https://github.com/openssl/openssl
+ cd openssl
+ ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
+ make
+ make -j1 install_sw
+
+ - name: 'build openssl-prev'
+ if: ${{ steps.cache-openssl-prev-http3-no-deprecated.outputs.cache-hit != 'true' }}
+ run: |
+ cd ~
+ curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
+ --location "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_PREV_VERSION}/openssl-${OPENSSL_PREV_VERSION}.tar.gz" --output pkg.bin
+ sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${OPENSSL_PREV_SHA256}" && tar -xzf pkg.bin && rm -f pkg.bin
+ cd "openssl-${OPENSSL_PREV_VERSION}"
+ ./config --prefix=/home/runner/openssl-prev/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
+ make
+ make -j1 install_sw
+
- name: 'build wolfssl'
if: ${{ steps.cache-wolfssl.outputs.cache-hit != 'true' }}
run: |
fail-fast: false
matrix:
build:
- - name: 'openssl'
- tflags: '--min=1700'
- LDFLAGS: -Wl,-rpath,/home/runner/openssl/build/lib
- PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
- configure: >-
- --with-openssl=/home/runner/openssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --enable-ssls-export
-
- - name: 'openssl'
- install_steps: skipall
- PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
- generate: >-
- -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
- -DCURL_DISABLE_LDAP=ON
- -DUSE_ECH=ON
- -DCMAKE_UNITY_BUILD=ON
-
- - name: 'openssl-prev'
- install_steps: skipall
- LDFLAGS: -Wl,-rpath,/home/runner/openssl-prev/build/lib
- PKG_CONFIG_PATH: "\
- /home/runner/openssl-prev/build/lib/pkgconfig:\
- /home/runner/nghttp3/build/lib/pkgconfig:\
- /home/runner/nghttp2-openssl-prev/build/lib/pkgconfig"
- configure: >-
- --with-openssl=/home/runner/openssl-prev/build --with-ngtcp2=/home/runner/ngtcp2-openssl-prev/build --enable-ssls-export
-
- - name: 'openssl-prev'
- tflags: '--min=1700'
- PKG_CONFIG_PATH: "\
- /home/runner/openssl-prev/build/lib/pkgconfig:\
- /home/runner/nghttp3/build/lib/pkgconfig:\
- /home/runner/ngtcp2-openssl-prev/build/lib/pkgconfig:\
- /home/runner/nghttp2/build/lib/pkgconfig"
- generate: >-
- -DOPENSSL_ROOT_DIR=/home/runner/openssl-prev/build -DUSE_NGTCP2=ON
- -DCURL_DISABLE_LDAP=ON
-
- - name: 'libressl'
- install_steps: skipall
- LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib
- PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
- # Intentionally using '--with-ngtcp2=<path>' to test this way of configuration, in addition to bare '--with-ngtcp2' + 'PKG_CONFIG_PATH' in other jobs.
- configure: >-
- --with-openssl=/home/runner/libressl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ssls-export
- --enable-unity
-
- - name: 'libressl'
- PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
- generate: >-
- -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
-
- name: 'awslc'
install_steps: skipall
LDFLAGS: -Wl,-rpath,/home/runner/awslc/build/lib
-DCURL_USE_GNUTLS=ON -DUSE_NGTCP2=ON -DCURL_USE_LIBSSH=ON
-DCMAKE_UNITY_BUILD=ON
- - name: 'wolfssl'
- install_packages: libssh2-1-dev
+ - name: 'libressl'
install_steps: skipall
- LDFLAGS: -Wl,-rpath,/home/runner/wolfssl/build/lib
- PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib
+ PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ # Intentionally using '--with-ngtcp2=<path>' to test this way of configuration, in addition to bare '--with-ngtcp2' + 'PKG_CONFIG_PATH' in other jobs.
configure: >-
- --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --with-libssh2 --enable-ssls-export
+ --with-openssl=/home/runner/libressl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ssls-export
--enable-unity
- - name: 'wolfssl'
- install_packages: libssh2-1-dev
- tflags: '--min=1900'
- PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ - name: 'libressl'
+ PKG_CONFIG_PATH: /home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
generate: >-
- -DCURL_USE_WOLFSSL=ON -DUSE_NGTCP2=ON
+ -DOPENSSL_ROOT_DIR=/home/runner/libressl/build -DUSE_NGTCP2=ON
+
+ - name: 'openssl'
+ tflags: '--min=1700'
+ LDFLAGS: -Wl,-rpath,/home/runner/openssl/build/lib
+ PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ configure: >-
+ --with-openssl=/home/runner/openssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --enable-ssls-export
+
+ - name: 'openssl'
+ install_steps: skipall
+ PKG_CONFIG_PATH: /home/runner/openssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ generate: >-
+ -DOPENSSL_ROOT_DIR=/home/runner/openssl/build -DUSE_NGTCP2=ON
+ -DCURL_DISABLE_LDAP=ON
-DUSE_ECH=ON
+ -DCMAKE_UNITY_BUILD=ON
+
+ - name: 'openssl-prev'
+ install_steps: skipall
+ LDFLAGS: -Wl,-rpath,/home/runner/openssl-prev/build/lib
+ PKG_CONFIG_PATH: "\
+ /home/runner/openssl-prev/build/lib/pkgconfig:\
+ /home/runner/nghttp3/build/lib/pkgconfig:\
+ /home/runner/nghttp2-openssl-prev/build/lib/pkgconfig"
+ configure: >-
+ --with-openssl=/home/runner/openssl-prev/build --with-ngtcp2=/home/runner/ngtcp2-openssl-prev/build --enable-ssls-export
+
+ - name: 'openssl-prev'
+ tflags: '--min=1700'
+ PKG_CONFIG_PATH: "\
+ /home/runner/openssl-prev/build/lib/pkgconfig:\
+ /home/runner/nghttp3/build/lib/pkgconfig:\
+ /home/runner/ngtcp2-openssl-prev/build/lib/pkgconfig:\
+ /home/runner/nghttp2/build/lib/pkgconfig"
+ generate: >-
+ -DOPENSSL_ROOT_DIR=/home/runner/openssl-prev/build -DUSE_NGTCP2=ON
+ -DCURL_DISABLE_LDAP=ON
- name: 'quiche'
install_steps: skipall
-DUSE_QUICHE=ON
-DCURL_CA_FALLBACK=ON
+ - name: 'wolfssl'
+ install_packages: libssh2-1-dev
+ install_steps: skipall
+ LDFLAGS: -Wl,-rpath,/home/runner/wolfssl/build/lib
+ PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ configure: >-
+ --with-wolfssl=/home/runner/wolfssl/build --with-ngtcp2=/home/runner/ngtcp2/build --enable-ech --with-libssh2 --enable-ssls-export
+ --enable-unity
+
+ - name: 'wolfssl'
+ install_packages: libssh2-1-dev
+ tflags: '--min=1900'
+ PKG_CONFIG_PATH: /home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig
+ generate: >-
+ -DCURL_USE_WOLFSSL=ON -DUSE_NGTCP2=ON
+ -DUSE_ECH=ON
+
steps:
- name: 'install prereqs'
timeout-minutes: 2
echo 'CC=gcc-12' >> "$GITHUB_ENV"
echo 'CXX=g++-12' >> "$GITHUB_ENV"
- - name: 'cache openssl'
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-openssl-http3-no-deprecated
- env:
- cache-name: cache-openssl-http3-no-deprecated
- with:
- path: ~/openssl/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
- fail-on-cache-miss: true
-
- - name: 'cache openssl-prev'
- if: ${{ contains(matrix.build.name, 'openssl-prev') }}
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-openssl-prev-http3-no-deprecated
- env:
- cache-name: cache-openssl-prev-http3-no-deprecated
- with:
- path: ~/openssl-prev/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
- fail-on-cache-miss: true
-
- - name: 'cache libressl'
- if: ${{ contains(matrix.build.name, 'libressl') }}
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-libressl
- env:
- cache-name: cache-libressl
- with:
- path: ~/libressl/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
- fail-on-cache-miss: true
-
- name: 'cache awslc'
if: ${{ contains(matrix.build.name, 'awslc') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.GNUTLS_VERSION }}-${{ env.NETTLE_VERSION }}
fail-on-cache-miss: true
+ - name: 'cache libressl'
+ if: ${{ contains(matrix.build.name, 'libressl') }}
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-libressl
+ env:
+ cache-name: cache-libressl
+ with:
+ path: ~/libressl/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.LIBRESSL_VERSION }}
+ fail-on-cache-miss: true
+
+ - name: 'cache openssl'
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-openssl-http3-no-deprecated
+ env:
+ cache-name: cache-openssl-http3-no-deprecated
+ with:
+ path: ~/openssl/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
+ fail-on-cache-miss: true
+
+ - name: 'cache openssl-prev'
+ if: ${{ contains(matrix.build.name, 'openssl-prev') }}
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-openssl-prev-http3-no-deprecated
+ env:
+ cache-name: cache-openssl-prev-http3-no-deprecated
+ with:
+ path: ~/openssl-prev/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_PREV_VERSION }}
+ fail-on-cache-miss: true
+
- name: 'cache wolfssl'
if: ${{ contains(matrix.build.name, 'wolfssl') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}"
fail-on-cache-miss: true
- - name: 'cache ngtcp2 openssl-prev'
- if: ${{ contains(matrix.build.name, 'openssl-prev') }}
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
- id: cache-ngtcp2-openssl-prev
- env:
- cache-name: cache-ngtcp2-openssl-prev
- with:
- path: ~/ngtcp2-openssl-prev/build
- key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
- fail-on-cache-miss: true
-
- name: 'cache ngtcp2 boringssl'
if: ${{ contains(matrix.build.name, 'boringssl') }}
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }}
fail-on-cache-miss: true
+ - name: 'cache ngtcp2 openssl-prev'
+ if: ${{ contains(matrix.build.name, 'openssl-prev') }}
+ uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ id: cache-ngtcp2-openssl-prev
+ env:
+ cache-name: cache-ngtcp2-openssl-prev
+ with:
+ path: ~/ngtcp2-openssl-prev/build
+ key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_PREV_VERSION }}
+ fail-on-cache-miss: true
+
- name: 'cache nghttp2'
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
id: cache-nghttp2
CURL_CI: github
CURL_TEST_MIN: 1660
DO_NOT_TRACK: '1'
+ # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
+ AWSLC_VERSION: 1.73.0
+ # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
+ BORINGSSL_VERSION: 0.20260508.0
+ # renovate: datasource=github-releases depName=pizlonator/fil-c versioning=semver-coerced registryUrl=https://github.com
+ FIL_C_VERSION: 0.678
# renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
LIBRESSL_VERSION: 4.3.1
- # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
- WOLFSSL_VERSION: 5.9.1
# renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com
MBEDTLS_VERSION: 4.0.0
# manually bumped
MBEDTLS_PREV_VERSION: 3.6.5
MBEDTLS_PREV_SHA256: 4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8
- # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
- AWSLC_VERSION: 1.73.0
- # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
- BORINGSSL_VERSION: 0.20260508.0
+ # renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com
+ NGHTTP2_VERSION: 1.69.0
+ # handled in renovate.json
+ OPENLDAP_VERSION: 2.6.10
# renovate: datasource=github-releases depName=openssl/openssl versioning=semver extractVersion=^openssl-(?<version>.+)$ registryUrl=https://github.com
OPENSSL_VERSION: 4.0.0
# renovate: datasource=github-tags depName=rustls/rustls-ffi versioning=semver registryUrl=https://github.com
RUSTLS_VERSION: 0.15.3
- # handled in renovate.json
- OPENLDAP_VERSION: 2.6.10
- # renovate: datasource=github-tags depName=nghttp2/nghttp2 versioning=semver registryUrl=https://github.com
- NGHTTP2_VERSION: 1.69.0
- # renovate: datasource=github-releases depName=pizlonator/fil-c versioning=semver-coerced registryUrl=https://github.com
- FIL_C_VERSION: 0.678
+ # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
+ WOLFSSL_VERSION: 5.9.1
jobs:
linux:
fail-fast: false
matrix:
build:
+ - name: 'awslc'
+ install_steps: awslc pytest
+ LDFLAGS: -Wl,-rpath,/home/runner/awslc/lib
+ configure: --with-openssl=/home/runner/awslc --enable-ech --enable-ntlm
+
+ - name: 'awslc'
+ install_packages: libidn2-dev
+ install_steps: awslc
+ generate: -DOPENSSL_ROOT_DIR=/home/runner/awslc -DUSE_ECH=ON -DCMAKE_UNITY_BUILD=OFF -DCURL_DROP_UNUSED=ON -DCURL_PATCHSTAMP=test-patch -DCURL_ENABLE_NTLM=ON
+
+ - name: 'boringssl'
+ install_steps: boringssl pytest
+ generate: -DOPENSSL_ROOT_DIR=/home/runner/boringssl -DUSE_ECH=ON -DCURL_ENABLE_NTLM=ON
+
- name: 'libressl krb5'
image: ubuntu-24.04-arm
install_packages: libidn2-dev libnghttp2-dev libldap-dev libkrb5-dev
LDFLAGS: -Wl,-rpath,/home/runner/libressl/lib
configure: --with-openssl=/home/runner/libressl --enable-debug
- - name: 'wolfssl-all'
- image: ubuntu-24.04-arm
- install_steps: wolfssl-all-arm
- LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-all/lib
- configure: --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug
-
- - name: 'wolfssl-opensslextra valgrind 1'
- image: ubuntu-24.04-arm
- install_packages: valgrind
- install_steps: wolfssl-opensslextra-arm
- tflags: '--min=815 1 to 1000'
- LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
- configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
-
- - name: 'wolfssl-opensslextra valgrind 2'
- image: ubuntu-24.04-arm
- install_packages: valgrind
- install_steps: wolfssl-opensslextra-arm
- tflags: '--min=835 1001 to 9999'
- LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
- configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
+ - name: 'libressl Fil-C'
+ install_steps: filc libressl-filc nghttp2-filc pytest
+ tflags: '!776' # adds 1-9 minutes to the test run step, and fails consistently
+ CC: /home/runner/filc/build/bin/filcc
+ PKG_CONFIG_PATH: /home/runner/nghttp2/lib/pkgconfig
+ generate: >-
+ -DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON
+ -DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_LIBPSL=OFF
+ -DCURL_ZLIB=OFF -DCURL_BROTLI=OFF -DCURL_ZSTD=OFF
+ -DCURL_DISABLE_LDAP=ON -DUSE_LIBIDN2=OFF -DCURL_USE_LIBSSH2=OFF
+ -DCURL_ENABLE_NTLM=ON
- name: 'mbedtls gss valgrind 1'
image: ubuntu-24.04-arm
-DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF
-DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON
- - name: 'awslc'
- install_steps: awslc pytest
- LDFLAGS: -Wl,-rpath,/home/runner/awslc/lib
- configure: --with-openssl=/home/runner/awslc --enable-ech --enable-ntlm
+ - name: 'rustls valgrind 1'
+ install_packages: libnghttp2-dev libldap-dev valgrind
+ install_steps: rust rustls
+ tflags: '--min=820 1 to 1000'
+ generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
- - name: 'awslc'
- install_packages: libidn2-dev
- install_steps: awslc
- generate: -DOPENSSL_ROOT_DIR=/home/runner/awslc -DUSE_ECH=ON -DCMAKE_UNITY_BUILD=OFF -DCURL_DROP_UNUSED=ON -DCURL_PATCHSTAMP=test-patch -DCURL_ENABLE_NTLM=ON
+ - name: 'rustls valgrind 2'
+ install_packages: libnghttp2-dev libldap-dev valgrind
+ install_steps: rust rustls
+ tflags: '--min=830 1001 to 9999'
+ generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
- - name: 'boringssl'
- install_steps: boringssl pytest
- generate: -DOPENSSL_ROOT_DIR=/home/runner/boringssl -DUSE_ECH=ON -DCURL_ENABLE_NTLM=ON
+ - name: 'rustls'
+ install_packages: libnghttp2-dev libldap-dev
+ install_steps: rust rustls skiprun pytest
+ configure: --with-rustls --enable-ech --enable-debug
+
+ - name: 'wolfssl-all'
+ image: ubuntu-24.04-arm
+ install_steps: wolfssl-all-arm
+ LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-all/lib
+ configure: --with-wolfssl=/home/runner/wolfssl-all --enable-ech --enable-debug
+
+ - name: 'wolfssl-opensslextra valgrind 1'
+ image: ubuntu-24.04-arm
+ install_packages: valgrind
+ install_steps: wolfssl-opensslextra-arm
+ tflags: '--min=815 1 to 1000'
+ LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
+ configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
+
+ - name: 'wolfssl-opensslextra valgrind 2'
+ image: ubuntu-24.04-arm
+ install_packages: valgrind
+ install_steps: wolfssl-opensslextra-arm
+ tflags: '--min=835 1001 to 9999'
+ LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib
+ configure: --with-wolfssl=/home/runner/wolfssl-opensslextra --enable-ech --enable-debug
- name: 'openssl default'
install_steps: pytest
tflags: '--min=500'
configure: --without-ssl --enable-debug --disable-http --disable-smtp --disable-imap --disable-unity
- - name: 'libressl Fil-C'
- install_steps: filc libressl-filc nghttp2-filc pytest
- tflags: '!776' # adds 1-9 minutes to the test run step, and fails consistently
- CC: /home/runner/filc/build/bin/filcc
- PKG_CONFIG_PATH: /home/runner/nghttp2/lib/pkgconfig
- generate: >-
- -DBUILD_STATIC_LIBS=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_TYPECHECK=ON
- -DOPENSSL_ROOT_DIR=/home/runner/libressl -DCURL_USE_LIBPSL=OFF
- -DCURL_ZLIB=OFF -DCURL_BROTLI=OFF -DCURL_ZSTD=OFF
- -DCURL_DISABLE_LDAP=ON -DUSE_LIBIDN2=OFF -DCURL_USE_LIBSSH2=OFF
- -DCURL_ENABLE_NTLM=ON
-
- name: 'clang-tidy'
install_packages: clang-20 clang-tidy-20 libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev libgnutls28-dev
install_steps: skiprun mbedtls-latest-intel rustls wolfssl-opensslextra-intel
configure: --enable-debug --enable-static --disable-shared --disable-threaded-resolver --with-libssh --with-openssl
tflags: '-n --test-duphandle'
- - name: 'rustls valgrind 1'
- install_packages: libnghttp2-dev libldap-dev valgrind
- install_steps: rust rustls
- tflags: '--min=820 1 to 1000'
- generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
-
- - name: 'rustls valgrind 2'
- install_packages: libnghttp2-dev libldap-dev valgrind
- install_steps: rust rustls
- tflags: '--min=830 1001 to 9999'
- generate: -DCURL_USE_RUSTLS=ON -DUSE_ECH=ON -DENABLE_DEBUG=ON
-
- - name: 'rustls'
- install_packages: libnghttp2-dev libldap-dev
- install_steps: rust rustls skiprun pytest
- configure: --with-rustls --enable-ech --enable-debug
-
- name: 'IntelC openssl'
install_packages: libssl-dev
install_steps: intelc
cmake_push_check_state()
list(APPEND CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL OpenSSL::Crypto)
- if(NOT DEFINED HAVE_BORINGSSL)
- check_symbol_exists("OPENSSL_IS_BORINGSSL" "openssl/base.h" HAVE_BORINGSSL)
- endif()
if(NOT DEFINED HAVE_AWSLC)
check_symbol_exists("OPENSSL_IS_AWSLC" "openssl/base.h" HAVE_AWSLC)
endif()
+ if(NOT DEFINED HAVE_BORINGSSL)
+ check_symbol_exists("OPENSSL_IS_BORINGSSL" "openssl/base.h" HAVE_BORINGSSL)
+ endif()
if(NOT DEFINED HAVE_LIBRESSL)
check_symbol_exists("LIBRESSL_VERSION_NUMBER" "openssl/opensslv.h" HAVE_LIBRESSL)
endif()
cmake_pop_check_state()
- if(HAVE_BORINGSSL OR HAVE_AWSLC)
- if(NOT MSVC AND NOT ANDROID) # BoringSSL/AWS-LC MSVC builds use native Windows threads
+ if(HAVE_AWSLC OR HAVE_BORINGSSL)
+ if(NOT MSVC AND NOT ANDROID) # AWS-LC/BoringSSL MSVC builds use native Windows threads
find_package(Threads)
if(CMAKE_USE_PTHREADS_INIT)
set(HAVE_THREADS_POSIX_BORINGSSL 1)
list(APPEND CURL_NETWORK_AND_TIME_LIBS Threads::Threads)
list(APPEND CMAKE_REQUIRED_LIBRARIES Threads::Threads)
elseif(OPENSSL_USE_STATIC_LIBS)
- message(WARNING "BoringSSL/AWS-LC requires POSIX Threads.")
+ message(WARNING "AWS-LC/BoringSSL requires POSIX Threads.")
endif()
endif()
if(OPENSSL_USE_STATIC_LIBS AND CMAKE_C_COMPILER_ID MATCHES "Clang")
endif()
endif()
- if(HAVE_BORINGSSL)
+ if(USE_AMISSL)
+ set(_openssl "AmiSSL")
+ elseif(HAVE_AWSLC)
+ set(_openssl "AWS-LC")
+ elseif(HAVE_BORINGSSL)
if(BORINGSSL_VERSION)
set(CURL_BORINGSSL_VERSION "\"${BORINGSSL_VERSION}\"")
endif()
set(_openssl "BoringSSL")
- elseif(HAVE_AWSLC)
- set(_openssl "AWS-LC")
elseif(HAVE_LIBRESSL)
set(_openssl "LibreSSL")
- elseif(USE_AMISSL)
- set(_openssl "AmiSSL")
else()
set(_openssl "OpenSSL")
endif()
set(HAVE_ECH 1)
endif()
if(NOT HAVE_ECH)
- message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/AWS-LC/wolfSSL/rustls-ffi")
+ message(FATAL_ERROR "ECH support missing in AWS-LC/BoringSSL/OpenSSL/Rustls/wolfSSL")
else()
message(STATUS "ECH enabled")
# ECH wants HTTPSRR
message(STATUS "HTTPSRR enabled")
endif()
else()
- message(FATAL_ERROR "ECH requires ECH-enabled OpenSSL, BoringSSL, AWS-LC, wolfSSL or rustls-ffi")
+ message(FATAL_ERROR "ECH requires ECH-enabled AWS-LC, BoringSSL, OpenSSL, Rustls or wolfSSL")
endif()
endif()
### TLS 1.2 (1.1, 1.0) cipher suites
-Setting TLS 1.2 cipher suites is supported by curl with OpenSSL, LibreSSL,
-BoringSSL, mbedTLS (curl 8.8.0+), wolfSSL (curl 7.53.0+). Schannel does not
-support setting cipher suites directly, but does support setting algorithms
-(curl 7.61.0+), see Schannel notes below.
+Setting TLS 1.2 cipher suites is supported by curl with AWS-LC, BoringSSL,
+LibreSSL, mbedTLS (curl 8.8.0+), OpenSSL, wolfSSL (curl 7.53.0+). Schannel
+does not support setting cipher suites directly, but does support setting
+algorithms (curl 7.61.0+), see Schannel notes below.
For TLS 1.2 cipher suites there are multiple naming schemes, the two most used
are with OpenSSL names (e.g. `ECDHE-RSA-AES128-GCM-SHA256`) and IANA names
- `GnuTLS`
- `mbedTLS`
-- `OpenSSL` (also covers BoringSSL, LibreSSL, quictls, AWS-LC and AmiSSL)
+- `OpenSSL` (also covers AmiSSL, AWS-LC, BoringSSL, LibreSSL and quictls)
- `rustls`
- `Schannel`
- `wolfSSL`
We have added support for ECH to curl. It can use HTTPS RRs published in the
DNS if curl uses DoH, or else can accept the relevant ECHConfigList values
-from the command line. This works with OpenSSL, wolfSSL, BoringSSL, AWS-LC
-or rustls-ffi as the TLS provider.
+from the command line. This works with AWS-LC, BoringSSL, OpenSSL, Rustls or
+wolfSSL as the TLS provider.
This feature is EXPERIMENTAL. DO NOT USE IN PRODUCTION.
```
At that point, you could copy the base64 encoded value above and try again.
-For now, this only works for the OpenSSL and BoringSSL/AWS-LC builds.
+For now, this only works for the OpenSSL and AWS-LC/BoringSSL builds.
## Default settings
make
```
-The BoringSSL/AWS-LC APIs are fairly similar to those in our ECH-enabled
+The AWS-LC/BoringSSL APIs are fairly similar to those in our ECH-enabled
OpenSSL fork, so code changes are also in `lib/vtls/openssl.c`, protected
via `#ifdef OPENSSL_IS_BORINGSSL` and are mostly obvious API variations.
-The BoringSSL/AWS-LC APIs however do not support the `--ech pn:` command
+The AWS-LC/BoringSSL APIs however do not support the `--ech pn:` command
line variant as of now.
## wolfSSL build
The lack of support for `--ech false` is because wolfSSL has decided to
always at least GREASE if built to support ECH. In other words, GREASE is
a compile time choice for wolfSSL, but a runtime choice for OpenSSL or
-BoringSSL/AWS-LC. (Both are reasonable.)
+AWS-LC/BoringSSL. (Both are reasonable.)
## Additional notes
needed, or one can access the value from command line output in verbose more
and then reuse that in another invocation.
-Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE
+Both our OpenSSL fork and AWS-LC/BoringSSL have APIs for both controlling GREASE
and accessing and logging `retry_configs`, it seems wolfSSL has neither.
### Testing ECH
that SSL functionality can then be provided by one out of many different SSL
backends.
-curl can be built to use one of the following SSL alternatives: OpenSSL,
-LibreSSL, BoringSSL, AWS-LC, GnuTLS, wolfSSL, mbedTLS, Schannel (native
-Windows) or Rustls. They all have their pros and cons, and we maintain [a TLS
-library comparison](https://curl.se/docs/ssl-compared.html).
+curl can be built to use one of the following SSL alternatives: AWS-LC,
+BoringSSL, GnuTLS, LibreSSL, OpenSSL, mbedTLS, Rustls, Schannel (native
+Windows), or wolfSSL. They all have their pros and cons, and we maintain
+[a TLS library comparison](https://curl.se/docs/ssl-compared.html).
## How do I upgrade curl.exe in Windows?
- AmiSSL: `--with-amissl`
- GnuTLS: `--with-gnutls`.
- mbedTLS: `--with-mbedtls`
-- OpenSSL: `--with-openssl` (also for BoringSSL, AWS-LC, LibreSSL, and quictls)
+- OpenSSL: `--with-openssl` (also for AWS-LC, BoringSSL, LibreSSL, and quictls)
- Rustls: `--with-rustls`
- Schannel: `--with-schannel`
- wolfSSL: `--with-wolfssl`
for Android using OpenSSL like this:
```sh
-# For OpenSSL/BoringSSL. In general, you need to the SSL/TLS layer's transitive
+# For BoringSSL/OpenSSL. In general, you need to the SSL/TLS layer's transitive
# dependencies if you are linking statically.
LIBS='-lssl -lcrypto -lc++'
./configure --host aarch64-linux-android --with-pic --disable-shared --with-openssl="$TOOLCHAIN/sysroot/usr"
This option is independent of other CA certificate locations set at run time or
build time. Those locations are searched in addition to the native CA store.
-This option works with OpenSSL and its forks (LibreSSL, BoringSSL, etc) on
+This option works with OpenSSL and its forks (BoringSSL, LibreSSL, etc) on
Windows (Added in 7.71.0) and on Apple OS when libcurl is built with
Apple SecTrust enabled. (Added in 8.17.0)
Enable the use of TLSv1.3 early data, also known as '0RTT' where possible.
This has security implications for the requests sent that way.
-This option can be used when curl is built to use GnuTLS, wolfSSL, quictls and
-OpenSSL as a TLS provider (but not BoringSSL, AWS-LC, or Rustls).
+This option can be used when curl is built to use GnuTLS, OpenSSL, quictls and
+wolfSSL as a TLS provider (but not AWS-LC, BoringSSL, or Rustls).
If a server supports this TLSv1.3 feature, and to what extent, is announced
as part of the TLS "session" sent back to curl. Until curl has seen such
Schannel, wolfSSL
The name "OpenSSL" is used for all versions of OpenSSL and its associated
-forks/flavors in this function. OpenSSL, BoringSSL, LibreSSL, quictls and
-AmiSSL are all supported by libcurl, but in the eyes of curl_global_sslset(3)
-they are all called "OpenSSL". They all mostly provide the same API.
-curl_version_info(3) can return more specific info about the exact OpenSSL
-flavor and version number in use.
+forks/flavors in this function. AmiSSL, AWS-LC, BoringSSL, LibreSSL, OpenSSL
+and quictls are all supported by libcurl, but in the eyes of
+curl_global_sslset(3) they are all called "OpenSSL". They all mostly provide
+the same API. curl_version_info(3) can return more specific info about the
+exact OpenSSL flavor and version number in use.
# struct
does by default. This option fails the certificate verification if the chain
ends with an intermediate certificate and not with a root cert.
-Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0)
+Works with OpenSSL and its forks (BoringSSL, LibreSSL, etc). (Added in 7.68.0)
Works with Schannel if the user specified certificates to verify the peer.
(Added in 8.15.0)
at run time or build time. Those locations are searched in addition to the
native CA store.
-Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
+Works with wolfSSL on Windows, Linux (Debian, Fedora, Gentoo, RHEL, Ubuntu),
macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
-OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
+OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0).
## CURLSSLOPT_AUTO_CLIENT_CERT
does by default. This option fails the certificate verification if the chain
ends with an intermediate certificate and not with a root cert.
-Works with OpenSSL and its forks (LibreSSL, BoringSSL, etc). (Added in 7.68.0)
+Works with OpenSSL and its forks (BoringSSL, LibreSSL, etc). (Added in 7.68.0)
Works with Schannel if the user specified certificates to verify the peer.
(Added in 8.15.0)
at run time or build time. Those locations are searched in addition to the
native CA store.
-Works with wolfSSL on Windows, Linux (Debian, Ubuntu, Gentoo, Fedora, RHEL),
+Works with wolfSSL on Windows, Linux (Debian, Fedora, Gentoo, RHEL, Ubuntu),
macOS, Android and iOS (added in 8.3.0); with GnuTLS (added in 8.5.0) and with
-OpenSSL and its forks (LibreSSL, BoringSSL, etc) on Windows (Added in 7.71.0).
+OpenSSL and its forks (BoringSSL, LibreSSL, etc) on Windows (Added in 7.71.0).
This works with Rustls on Windows, macOS, Android and iOS. On Linux it is
equivalent to using the Mozilla CA certificate bundle. When used with Rustls
## CURLSSLOPT_EARLYDATA
Tell libcurl to try sending application data as TLS1.3 early data. This option
-is supported for GnuTLS, wolfSSL, quictls and OpenSSL (but not BoringSSL
-or AWS-LC). It works on TCP and QUIC connections using ngtcp2.
+is supported for GnuTLS, OpenSSL, quictls and wolfSSL (but not AWS-LC or
+BoringSSL). It works on TCP and QUIC connections using ngtcp2.
This option works on a best effort basis,
in cases when it was not possible to send early data the request is resent
normally post-handshake.
This option does not work when using QUIC.
-(Added in 8.11.0 for GnuTLS and 8.13.0 for wolfSSL, quictls and OpenSSL)
+(Added in 8.11.0 for GnuTLS and 8.13.0 for OpenSSL, quictls and wolfSSL)
# DEFAULT
#if defined(_WIN32) && !defined(CURL_STATICLIB)
#if defined(USE_OPENSSL) && \
- !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) && \
+ !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_IS_BORINGSSL) && \
!defined(LIBRESSL_VERSION_NUMBER)
#define PREVENT_OPENSSL_MEMLEAK
#endif
#ifdef USE_WIN32_LDAP /* Use Windows LDAP implementation. */
# include <winldap.h>
-/* Undefine indirect <wincrypt.h> symbols conflicting with BoringSSL/AWS-LC. */
+/* Undefine indirect <wincrypt.h> symbols conflicting with AWS-LC/BoringSSL. */
# undef X509_NAME
# undef X509_EXTENSIONS
# undef PKCS7_ISSUER_AND_SERIAL
#ifdef USE_OPENSSL
#include <openssl/err.h>
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
#include <ngtcp2/ngtcp2_crypto_boringssl.h>
#elif defined(OPENSSL_QUIC_API2)
#include <ngtcp2/ngtcp2_crypto_ossl.h>
struct curl_tls_ctx *ctx = user_data;
#ifdef USE_OPENSSL
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
if(ngtcp2_crypto_boringssl_configure_client_context(ctx->ossl.ssl_ctx)
!= 0) {
failf(data, "ngtcp2_crypto_boringssl_configure_client_context failed");
failf(data, "ngtcp2_crypto_quictls_configure_client_context failed");
return CURLE_FAILED_INIT;
}
-#endif /* !OPENSSL_IS_BORINGSSL && !OPENSSL_IS_AWSLC */
+#endif /* !OPENSSL_IS_AWSLC && !OPENSSL_IS_BORINGSSL */
if(Curl_ssl_scache_use(cf, data)) {
/* Enable the session cache because it is a prerequisite for the
* "new session" callback. Use the "external storage" mode to prevent
#endif
/* Whether SSL_CTX_set_ciphersuites is available.
- * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
* BoringSSL: no
* LibreSSL: supported since 3.4.1 (released 2021-10-14)
+ * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
*/
#if (!defined(LIBRESSL_VERSION_NUMBER) || \
(defined(LIBRESSL_VERSION_NUMBER) && \
#endif
/* Whether SSL_CTX_set1_sigalgs_list is available
- * OpenSSL: supported since 1.0.2 (commit 0b362de5f575)
* BoringSSL: supported since 0.20240913.0 (commit 826ce15)
* LibreSSL: no
+ * OpenSSL: supported since 1.0.2 (commit 0b362de5f575)
*/
#ifndef LIBRESSL_VERSION_NUMBER
#define HAVE_SSL_CTX_SET1_SIGALGS
#ifdef LIBRESSL_VERSION_NUMBER
#define OSSL_PACKAGE "LibreSSL"
-#elif defined(OPENSSL_IS_BORINGSSL)
-#define OSSL_PACKAGE "BoringSSL"
#elif defined(OPENSSL_IS_AWSLC)
#define OSSL_PACKAGE "AWS-LC"
+#elif defined(OPENSSL_IS_BORINGSSL)
+#define OSSL_PACKAGE "BoringSSL"
#elif defined(USE_NGTCP2) && defined(USE_NGHTTP3) && \
!defined(OPENSSL_QUIC_API2)
#define OSSL_PACKAGE "quictls"
}
#ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
/* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
- OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
+ OpenSSL version above v1.1.1, not AWS-LC, BoringSSL, or LibreSSL */
else if((lib == ERR_LIB_SSL) &&
(reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
/* If client certificate is required, communicate the
*p = '_';
}
return count;
+#elif defined(OPENSSL_IS_AWSLC)
+ return curl_msnprintf(buffer, size, "%s/%s",
+ OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING);
#elif defined(OPENSSL_IS_BORINGSSL)
#ifdef CURL_BORINGSSL_VERSION
return curl_msnprintf(buffer, size, "%s/%s",
#else
return curl_msnprintf(buffer, size, OSSL_PACKAGE);
#endif
-#elif defined(OPENSSL_IS_AWSLC)
- return curl_msnprintf(buffer, size, "%s/%s",
- OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING);
#else /* OpenSSL 3+ */
return curl_msnprintf(buffer, size, "%s/%s",
OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
* <winldap.h>, <iphlpapi.h>, or something else, <wincrypt.h> does this:
* #define X509_NAME ((LPCSTR)7)
*
- * In BoringSSL/AWC-LC's <openssl/base.h> there is:
+ * In AWC-LC/BoringSSL's <openssl/base.h> there is:
* typedef struct X509_name_st X509_NAME;
* etc.
*
#define HAVE_OPENSSL3 /* non-fork OpenSSL 3.x or later */
#endif
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
#define HAVE_BORINGSSL_LIKE
#endif
/*
* Whether SSL_CTX_set_keylog_callback is available.
- * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
* BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
* LibreSSL: not supported. 3.5.0+ has a stub function that does nothing.
+ * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
*/
#ifndef LIBRESSL_VERSION_NUMBER
#define HAVE_KEYLOG_CALLBACK
if test "$OPENSSL_ENABLED" = "1"; then
dnl These can only exist if OpenSSL exists
- AC_MSG_CHECKING([for BoringSSL])
+ AC_MSG_CHECKING([for AWS-LC])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[
#include <openssl/base.h>
]],[[
- #ifndef OPENSSL_IS_BORINGSSL
- #error not boringssl
+ #ifndef OPENSSL_IS_AWSLC
+ #error not AWS-LC
#endif
]])
],[
AC_MSG_RESULT([yes])
- ssl_msg="BoringSSL"
- OPENSSL_IS_BORINGSSL=1
+ ssl_msg="AWS-LC"
+ OPENSSL_IS_AWSLC=1
],[
AC_MSG_RESULT([no])
])
- AC_MSG_CHECKING([for AWS-LC])
+ AC_MSG_CHECKING([for BoringSSL])
AC_COMPILE_IFELSE([
AC_LANG_PROGRAM([[
#include <openssl/base.h>
]],[[
- #ifndef OPENSSL_IS_AWSLC
- #error not AWS-LC
+ #ifndef OPENSSL_IS_BORINGSSL
+ #error not BoringSSL
#endif
]])
],[
AC_MSG_RESULT([yes])
- ssl_msg="AWS-LC"
- OPENSSL_IS_AWSLC=1
+ ssl_msg="BoringSSL"
+ OPENSSL_IS_BORINGSSL=1
],[
AC_MSG_RESULT([no])
])
#include <vtls/openssl.h>
#ifdef HAVE_BORINGSSL_LIKE
-/* BoringSSL and AWS-LC */
+/* AWS-LC and BoringSSL */
typedef uint32_t opt1587;
#else
typedef uint64_t opt1587;
$feature{"wolfssl"} = 1;
$feature{"SSLpinning"} = 1;
}
- elsif($libcurl =~ /\s(BoringSSL|AWS-LC)\b/i) {
+ elsif($libcurl =~ /\s(AWS-LC|BoringSSL)\b/i) {
# OpenSSL compatible API
$feature{"OpenSSL"} = 1;
$feature{"SSLpinning"} = 1;
projects / thirdparty / curl.git / commitdiff
