Opened 8 years ago

Closed 4 years ago

#38369 closed enhancement (fixed)

curl: add Secure Transport (darwinssl) support

Reported by: macports-trac-phil@… Owned by: ryandesign (Ryan Schmidt)
Priority: Normal Milestone:
Component: ports Version: 2.1.3
Keywords: haspatch Cc: cooljeanius (Eric Gallager), john@…, dbevans (David B. Evans)
Port: curl

Description (last modified by larryv (Lawrence Velázquez))

Per http://daniel.haxx.se/blog/2012/06/28/darwin-native-ssl-for-curl/ the curl project has supported using Apple's native Secure Transport facility for SSL since 7.27.0; we're currently on 7.29.0.

With Secure Transport, the system keychain is used for trust anchors; this is sufficient benefit that I think it worth supporting a third SSL-related build variant.

"This ninth supported SSL library is now called ‘darwinssl’ in the curl code base." -- on this basis, I called the variant in the attached patch "darwinssl"; this is my first upstream contribution for MacPorts and I'm not aware of how to constrain this option to be available only on darwin, given that the port declares it is also appropriate for FreeBSD. I'm using curl built this way now.

% port installed curl
The following ports are currently installed:
  curl @7.29.0_0+ares+darwinssl (active)
  curl @7.29.0_0+ares+sftp_scp+ssl
% curl --version
curl 7.29.0 (x86_64-apple-darwin12.2.1) libcurl/7.29.0 SecureTransport zlib/1.2.7 c-ares/1.7.5 libidn/1.26
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz 

I can retrieve content from a site using a cert for a local CA that is installed in the keychains.

Attachments (1)

macports-curl-darwinssl.patch (1.7 KB) - added by macports-trac-phil@… 8 years ago.
patch for curl Portfile to add darwinssl

Download all attachments as: .zip

Change History (12)

Changed 8 years ago by macports-trac-phil@…

patch for curl Portfile to add darwinssl

comment:1 Changed 8 years ago by larryv (Lawrence Velázquez)

Description: modified (diff)
Keywords: ssl darwinssl removed
Owner: changed from macports-tickets@… to ryandesign@…

Thanks for the ticket. In the future, please Cc relevant port maintainers and use WikiFormatting.

comment:2 Changed 8 years ago by macports-trac-phil@…

Sure thing, sorry. Couldn't see how to change the existing text to fix to use formatting myself as a post-edit, and assumed that since trac asked for the portname, it would look up the relevant CCs automatically and fill it in. I know better now. :)

Thanks for cleaning up after me!

comment:3 in reply to:  2 Changed 8 years ago by larryv (Lawrence Velázquez)

Replying to macports-trac-phil@…:

Sure thing, sorry. Couldn't see how to change the existing text to fix to use formatting myself as a post-edit

I don’t think you can edit after the fact, but you can preview the ticket before submitting.

and assumed that since trac asked for the portname, it would look up the relevant CCs automatically and fill it in.

Yeah, that would be nice, but it’s easier to keep fixing tickets manually than to write a Trac plugin for that >.<

comment:4 in reply to:  description Changed 8 years ago by ryandesign (Ryan Schmidt)

Keywords: haspatch added
Status: newassigned
Summary: curl: missing Secure Transport (darwinssl) supportcurl: add Secure Transport (darwinssl) support

Replying to macports-trac-phil@…:

"This ninth supported SSL library is now called ‘darwinssl’ in the curl code base."

Thanks, I wasn't aware of this option.

Note that the word "conflicts" should appear only once in the variant declaration, e.g. variant darwinssl conflicts ssl gnutls ...

Is there any downside to darwinssl vs the existing ssl and gnutls options? The upside is that it does not have a dependency on another library, so if there is no downside, I might even consider making this the default variant on darwin. Though perhaps we should have it just be optional for awhile to see how it goes.

comment:5 Changed 8 years ago by macports-trac-phil@…

Changing will no longer use any OpenSSL or GnuTLS certificate stores, so existing setups may break if folks haven't merged certs into the Keychain too?

I suspect that changing the default should wait for MacPorts 2.1.4 so that there can be an email notification of the major changes; curl is embedded pretty deeply into many things, as core infrastructure. But then, I'm conservative in these things.

The debug output from libcurl is less informative. Most people won't care. Examples of the differing outputs below (second example is from a non-Mac host). Cipher selection will vary, as might be expected. Oh, bonus, darwinssl actually tells you the TLS protocol used.

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: sks.spodhuis.org
* Server certificate: GlobNIX Certificate Authority 3

vs

* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* SSL connection using ECDHE-RSA-AES128-SHA256
* Server certificate:
* 	 subject: C=NL; ST=Noord Holland; O=GlobNIX Systems; CN=sks.spodhuis.org; emailAddress=keyserver@spodhuis.org
* 	 start date: 2011-08-10 04:59:54 GMT
* 	 expire date: 2013-05-01 04:59:54 GMT
* 	 subjectAltName: sks.spodhuis.org matched
* 	 issuer: C=US; O=GlobNIX Systems; OU=Certification Authority; CN=GlobNIX Certificate Authority 3; emailAddress=certificates@globnix.org
* 	 SSL certificate verify ok.
Last edited 8 years ago by macports-trac-phil@… (previous) (diff)

comment:6 in reply to:  5 Changed 8 years ago by ryandesign (Ryan Schmidt)

Replying to macports-trac-phil@…:

I suspect that changing the default should wait for MacPorts 2.1.4 so that there can be an email notification of the major changes; curl is embedded pretty deeply into many things, as core infrastructure. But then, I'm conservative in these things.

Changes to individual ports are not part of the MacPorts base release notes. Port changes are not tied to the MacPorts base release schedule.

But I suppose I should be conservative too. I'll just add the variant and let users use it if they want to. It's not like eliminating the openssl dependency would accomplish much; curl is already distributable, and tons of other ports already require openssl so the user is likely to have it installed anyway.

comment:7 in reply to:  5 Changed 8 years ago by larryv (Lawrence Velázquez)

Replying to macports-trac-phil@…:

Changing will no longer use any OpenSSL or GnuTLS certificate stores, so existing setups may break if folks haven't merged certs into the Keychain too?

Wouldn't existing setups already have +ssl or +gnutls selected (unless -ssl was explicitly used)? Changing the default variant shouldn't affect them.

comment:8 in reply to:  2 Changed 8 years ago by cooljeanius (Eric Gallager)

Replying to macports-trac-phil@…:

Sure thing, sorry. Couldn't see how to change the existing text to fix to use formatting myself as a post-edit, and assumed that since trac asked for the portname, it would look up the relevant CCs automatically and fill it in. I know better now. :)

Thanks for cleaning up after me!

This is related to ticket #38095 btw

comment:9 Changed 6 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:10 Changed 6 years ago by john@…

Cc: john@… added

Cc Me!

comment:11 Changed 4 years ago by ryandesign (Ryan Schmidt)

Cc: dbevans added
Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.