From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use
Date: Thu, 08 Nov 2018 22:33:16 +0100 [thread overview]
Message-ID: <87ftwb8db7.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20181108001209.14889-1-tpiepho@impinj.com> (Trent Piepho's message of "Thu, 8 Nov 2018 00:12:23 +0000")
>>>>> "Trent" == Trent Piepho <tpiepho@impinj.com> writes:
> Instead of defaulting to OpenSSL, allow selection of package to use
> through a choice in libcurl's config. The default will be to select the
> first enabled TLS provider in the same preference order as is used now,
> i.e. no change from current behavior.
> Some of the alternative libraries have advantages over OpenSSL in
> certain areas.
> For example, gnutls has vastly superior PKCS11 support. One can use
> client TLS private keys by supplying a PKCS11 URI instead of a private
> key file name. The TLS server cert trust store can be a PKCS11 URI,
> e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
> Now server certs can be stored in a software and/or hardware HSM(s).
> This doesn't work with OpenSSL.
> However, some software only supports OpenSSL for TLS or other crypto
> functions. So it might be necessary to enable OpenSSL for that reason.
Ok, nice description.
> Signed-off-by: Trent Piepho <tpiepho@impinj.com>
> ---
> package/libcurl/Config.in | 28 ++++++++++++++++++++++++++++
> package/libcurl/libcurl.mk | 15 ++++++++-------
> 2 files changed, 36 insertions(+), 7 deletions(-)
> diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
> index 21c2ee2b7f..0b2334beb9 100644
> --- a/package/libcurl/Config.in
> +++ b/package/libcurl/Config.in
> @@ -19,4 +19,32 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
> help
> Enable verbose text strings
> +choice
> + prompt "SSL/TLS library to use"
> + default BR2_PACKAGE_LIBCURL_OPENSSL if BR2_PACKAGE_OPENSSL
> + default BR2_PACKAGE_LIBCURL_GNUTLS if BR2_PACKAGE_GNUTLS
> + default BR2_PACKAGE_LIBCURL_LIBNSS if BR2_PACKAGE_LIBNSS
> + default BR2_PACKAGE_LIBCURL_MBEDTLS if BR2_PACKAGE_MBEDTLS
kconfig defaults to the first available option, so these default .. if
.. can be removed.
> +
> +config BR2_PACKAGE_LIBCURL_OPENSSL
> + bool "OpenSSL"
> + depends on BR2_PACKAGE_OPENSSL
> +
> +config BR2_PACKAGE_LIBCURL_GNUTLS
> + bool "GnuTLS"
> + depends on BR2_PACKAGE_GNUTLS
> +
> +config BR2_PACKAGE_LIBCURL_LIBNSS
> + bool "NSS"
> + depends on BR2_PACKAGE_LIBNSS
> +
> +config BR2_PACKAGE_LIBCURL_MBEDTLS
> + bool "mbed TLS"
> + depends on BR2_PACKAGE_MBEDTLS
> +
> +config BR2_PACKAGE_LIBCURL_NOSSL
> + bool "No SSL/TLS support"
Is there really a use case for building curl without TLS support if one
or more of the libraries are available? If not, then I would simply make
the choice depend on openssl || gnutls || libnss || mbedtls and drop
this nossl option.
--
Bye, Peter Korsgaard
next prev parent reply other threads:[~2018-11-08 21:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-08 0:12 [Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use Trent Piepho
2018-11-08 21:33 ` Peter Korsgaard [this message]
2018-11-08 21:55 ` Trent Piepho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ftwb8db7.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox