From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use
Date: Thu, 08 Nov 2018 22:33:16 +0100 [thread overview]
Message-ID: <87ftwb8db7.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20181108001209.14889-1-tpiepho@impinj.com> (Trent Piepho's message of "Thu, 8 Nov 2018 00:12:23 +0000")
>>>>> "Trent" == Trent Piepho <tpiepho@impinj.com> writes:
> Instead of defaulting to OpenSSL, allow selection of package to use
> through a choice in libcurl's config. The default will be to select the
> first enabled TLS provider in the same preference order as is used now,
> i.e. no change from current behavior.
> Some of the alternative libraries have advantages over OpenSSL in
> certain areas.
> For example, gnutls has vastly superior PKCS11 support. One can use
> client TLS private keys by supplying a PKCS11 URI instead of a private
> key file name. The TLS server cert trust store can be a PKCS11 URI,
> e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
> Now server certs can be stored in a software and/or hardware HSM(s).
> This doesn't work with OpenSSL.
> However, some software only supports OpenSSL for TLS or other crypto
> functions. So it might be necessary to enable OpenSSL for that reason.
Ok, nice description.
> Signed-off-by: Trent Piepho <tpiepho@impinj.com>
> ---
> package/libcurl/Config.in | 28 ++++++++++++++++++++++++++++
> package/libcurl/libcurl.mk | 15 ++++++++-------
> 2 files changed, 36 insertions(+), 7 deletions(-)
> diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
> index 21c2ee2b7f..0b2334beb9 100644
> --- a/package/libcurl/Config.in
> +++ b/package/libcurl/Config.in
> @@ -19,4 +19,32 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
> help
> Enable verbose text strings
> +choice
> + prompt "SSL/TLS library to use"
> + default BR2_PACKAGE_LIBCURL_OPENSSL if BR2_PACKAGE_OPENSSL
> + default BR2_PACKAGE_LIBCURL_GNUTLS if BR2_PACKAGE_GNUTLS
> + default BR2_PACKAGE_LIBCURL_LIBNSS if BR2_PACKAGE_LIBNSS
> + default BR2_PACKAGE_LIBCURL_MBEDTLS if BR2_PACKAGE_MBEDTLS
kconfig defaults to the first available option, so these default .. if
.. can be removed.
> +
> +config BR2_PACKAGE_LIBCURL_OPENSSL
> + bool "OpenSSL"
> + depends on BR2_PACKAGE_OPENSSL
> +
> +config BR2_PACKAGE_LIBCURL_GNUTLS
> + bool "GnuTLS"
> + depends on BR2_PACKAGE_GNUTLS
> +
> +config BR2_PACKAGE_LIBCURL_LIBNSS
> + bool "NSS"
> + depends on BR2_PACKAGE_LIBNSS
> +
> +config BR2_PACKAGE_LIBCURL_MBEDTLS
> + bool "mbed TLS"
> + depends on BR2_PACKAGE_MBEDTLS
> +
> +config BR2_PACKAGE_LIBCURL_NOSSL
> + bool "No SSL/TLS support"
Is there really a use case for building curl without TLS support if one
or more of the libraries are available? If not, then I would simply make
the choice depend on openssl || gnutls || libnss || mbedtls and drop
this nossl option.
--
Bye, Peter Korsgaard
next prev parent reply other threads:[~2018-11-08 21:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-08 0:12 [Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use Trent Piepho
2018-11-08 21:33 ` Peter Korsgaard [this message]
2018-11-08 21:55 ` Trent Piepho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ftwb8db7.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.