luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

configure: provide --with-openssl, deprecate --with-ssl

Browse Source 
Makes the option more explicit.

Closes #6887
This commit is contained in:
Daniel Stenberg 2021-04-13 18:11:43 +02:00
parent ccaaa534d0
commit 7bdec2a08b
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
8 changed files with 57 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/macos.yml vendored
View File

@ -44,11 +44,11 @@ jobs:
macosx-version-min: 10.8 macosx-version-min: 10.8
- name: OpenSSL metalink - name: OpenSSL metalink
install: nghttp2 openssl libmetalink install: nghttp2 openssl libmetalink
configure: --enable-debug --with-ssl=/usr/local/opt/openssl --with-libmetalink configure: --enable-debug --with-openssl=/usr/local/opt/openssl --with-libmetalink
macosx-version-min: 10.9 macosx-version-min: 10.9
- name: LibreSSL metalink - name: LibreSSL metalink
install: nghttp2 libressl libmetalink install: nghttp2 libressl libmetalink
configure: --enable-debug --with-ssl=/usr/local/opt/libressl --with-libmetalink configure: --enable-debug --with-openssl=/usr/local/opt/libressl --with-libmetalink
macosx-version-min: 10.9 macosx-version-min: 10.9
- name: torture - name: torture
install: nghttp2 openssl install: nghttp2 openssl

10
.travis.yml
View File

@ -99,12 +99,12 @@ jobs:
- libbrotli-dev - libbrotli-dev
- libzstd-dev - libzstd-dev
- env: - env:
- T=novalgrind BORINGSSL=yes C="--with-ssl=$HOME/boringssl" LD_LIBRARY_PATH=/home/travis/boringssl/lib:/usr/local/lib - T=novalgrind BORINGSSL=yes C="--with-openssl=$HOME/boringssl" LD_LIBRARY_PATH=/home/travis/boringssl/lib:/usr/local/lib
- OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8" - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
before_install: before_install:
- eval "$(gimme stable)"; gimme --list # Install latest Go (for boringssl) - eval "$(gimme stable)"; gimme --list # Install latest Go (for boringssl)
- env: - env:
- T=novalgrind QUICHE="yes" C="--with-ssl=$HOME/quiche/deps/boringssl/src --with-quiche=$HOME/quiche/target/release" LD_LIBRARY_PATH=$HOME/quiche/target/release:/usr/local/lib - T=novalgrind QUICHE="yes" C="--with-openssl=$HOME/quiche/deps/boringssl/src --with-quiche=$HOME/quiche/target/release" LD_LIBRARY_PATH=$HOME/quiche/target/release:/usr/local/lib
- OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8" - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
addons: addons:
apt: apt:
@ -135,10 +135,10 @@ jobs:
- libbrotli-dev - libbrotli-dev
- libzstd-dev - libzstd-dev
- env: - env:
- T=novalgrind LIBRESSL=yes C="--with-ssl=$HOME/libressl" LD_LIBRARY_PATH=/home/travis/libressl/lib:/usr/local/lib - T=novalgrind LIBRESSL=yes C="--with-openssl=$HOME/libressl" LD_LIBRARY_PATH=/home/travis/libressl/lib:/usr/local/lib
- OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8" - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
- env: - env:
- T=novalgrind NGTCP2=yes C="--with-ssl=$HOME/ngbuild --with-ngtcp2=$HOME/ngbuild --with-nghttp3=$HOME/ngbuild" NOTESTS= - T=novalgrind NGTCP2=yes C="--with-openssl=$HOME/ngbuild --with-ngtcp2=$HOME/ngbuild --with-nghttp3=$HOME/ngbuild" NOTESTS=
- OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8" - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
addons: addons:
apt: apt:
@ -181,7 +181,7 @@ jobs:
- libbrotli-dev - libbrotli-dev
- libzstd-dev - libzstd-dev
- env: - env:
- T=debug OPENSSL3="yes" C="--with-ssl=$HOME/openssl3" LD_LIBRARY_PATH=/home/travis/openssl3/lib:/usr/local/lib TFLAGS="https ftps" - T=debug OPENSSL3="yes" C="--with-openssl=$HOME/openssl3" LD_LIBRARY_PATH=/home/travis/openssl3/lib:/usr/local/lib TFLAGS="https ftps"
- OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8" - OVERRIDE_CC="CC=gcc-8" OVERRIDE_CXX="CXX=g++-8"
addons: addons:
apt: apt:

6
Makefile.dist
View File

@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___ # | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____| # \___|\___/|_| \_\_____|
# #
# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. # Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
# #
# This software is licensed as described in the file COPYING, which # This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms # you should have received as part of this distribution. The terms
@ -25,7 +25,7 @@ all:
make make
ssl: ssl:
./configure --with-ssl ./configure --with-openssl
make make
mingw32: mingw32:
@ -66,7 +66,7 @@ cygwin:
make make
cygwin-ssl: cygwin-ssl:
./configure --with-ssl ./configure --with-openssl
make make
amiga: amiga:

32
configure.ac
View File

@ -143,7 +143,7 @@ AC_SUBST(PKGADD_VENDOR)
dnl dnl
dnl initialize all the info variables dnl initialize all the info variables
curl_ssl_msg="no (--with-{ssl,gnutls,nss,mbedtls,wolfssl,schannel,secure-transport,mesalink,amissl,bearssl,rustls} )" curl_ssl_msg="no (--with-{openssl,gnutls,nss,mbedtls,wolfssl,schannel,secure-transport,mesalink,amissl,bearssl,rustls} )"
curl_ssh_msg="no (--with-{libssh,libssh2})" curl_ssh_msg="no (--with-{libssh,libssh2})"
curl_zlib_msg="no (--with-zlib)" curl_zlib_msg="no (--with-zlib)"
curl_brotli_msg="no (--with-brotli)" curl_brotli_msg="no (--with-brotli)"
@ -1736,8 +1736,13 @@ OPT_SSL=off
dnl Default to no CA bundle dnl Default to no CA bundle
ca="no" ca="no"
AC_ARG_WITH(ssl,dnl AC_ARG_WITH(ssl,dnl
AS_HELP_STRING([--with-ssl=PATH],[Where to look for OpenSSL, PATH points to the SSL installation (default: /usr/local/ssl); when possible, set the PKG_CONFIG_PATH environment variable instead of using this option]) AS_HELP_STRING([--with-ssl=PATH],[old version of --with-openssl])
AS_HELP_STRING([--without-ssl], [disable OpenSSL]), AS_HELP_STRING([--without-ssl], [old version of --without-openssl]),
OPT_SSL=$withval)
AC_ARG_WITH(openssl,dnl
AS_HELP_STRING([--with-openssl=PATH],[Where to look for OpenSSL, PATH points to the SSL installation (default: /usr/local/ssl); when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
AS_HELP_STRING([--without-openssl], [disable OpenSSL]),
OPT_SSL=$withval) OPT_SSL=$withval)
if test -z "$ssl_backends" -o "x$OPT_SSL" != xno && if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
@ -1773,18 +1778,18 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
case "$OPT_SSL" in case "$OPT_SSL" in
yes) yes)
dnl --with-ssl (without path) used dnl --with-openssl (without path) used
PKGTEST="yes" PKGTEST="yes"
PREFIX_OPENSSL=/usr/local/ssl PREFIX_OPENSSL=/usr/local/ssl
LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff" LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff"
;; ;;
off) off)
dnl no --with-ssl option given, just check default places dnl no --with-openssl option given, just check default places
PKGTEST="yes" PKGTEST="yes"
PREFIX_OPENSSL= PREFIX_OPENSSL=
;; ;;
*) *)
dnl check the given --with-ssl spot dnl check the given --with-openssl spot
PKGTEST="no" PKGTEST="no"
PREFIX_OPENSSL=$OPT_SSL PREFIX_OPENSSL=$OPT_SSL
@ -1796,11 +1801,11 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"]) AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"])
PKGTEST="yes" PKGTEST="yes"
elif test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then elif test ! -f "$PREFIX_OPENSSL/include/openssl/ssl.h"; then
AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-ssl prefix!]) AC_MSG_ERROR([$PREFIX_OPENSSL is a bad --with-openssl prefix!])
fi fi
dnl in case pkg-config comes up empty, use what we got dnl in case pkg-config comes up empty, use what we got
dnl via --with-ssl dnl via --with-openssl
LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff" LIB_OPENSSL="$PREFIX_OPENSSL/lib$libsuff"
if test "$PREFIX_OPENSSL" != "/usr" ; then if test "$PREFIX_OPENSSL" != "/usr" ; then
SSL_LDFLAGS="-L$LIB_OPENSSL" SSL_LDFLAGS="-L$LIB_OPENSSL"
@ -1834,7 +1839,7 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
dnl use the values pkg-config reported. This is here dnl use the values pkg-config reported. This is here
dnl instead of below with CPPFLAGS and LDFLAGS because we only dnl instead of below with CPPFLAGS and LDFLAGS because we only
dnl learn about this via pkg-config. If we only have dnl learn about this via pkg-config. If we only have
dnl the argument to --with-ssl we don't know what dnl the argument to --with-openssl we don't know what
dnl additional libs may be necessary. Hope that we dnl additional libs may be necessary. Hope that we
dnl don't need any. dnl don't need any.
LIBS="$SSL_LIBS $LIBS" LIBS="$SSL_LIBS $LIBS"
@ -1856,8 +1861,9 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
# only set this if pkg-config wasn't used # only set this if pkg-config wasn't used
CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include/openssl -I$PREFIX_OPENSSL/include" CPPFLAGS="$CLEANCPPFLAGS -I$PREFIX_OPENSSL/include/openssl -I$PREFIX_OPENSSL/include"
fi fi
# Linking previously failed, try extra paths from --with-ssl or pkg-config. # Linking previously failed, try extra paths from --with-openssl or
# Use a different function name to avoid reusing the earlier cached result. # pkg-config. Use a different function name to avoid reusing the earlier
# cached result.
AC_CHECK_LIB(crypto, HMAC_Init_ex,[ AC_CHECK_LIB(crypto, HMAC_Init_ex,[
HAVECRYPTO="yes" HAVECRYPTO="yes"
LIBS="-lcrypto $LIBS"], [ LIBS="-lcrypto $LIBS"], [
@ -2051,7 +2057,7 @@ if test X"$OPT_SSL" != Xoff &&
test "$OPENSSL_ENABLED" != "1"; then test "$OPENSSL_ENABLED" != "1"; then
AC_MSG_NOTICE([OPT_SSL: $OPT_SSL]) AC_MSG_NOTICE([OPT_SSL: $OPT_SSL])
AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED]) AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED])
AC_MSG_ERROR([--with-ssl was given but OpenSSL could not be detected]) AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected])
fi fi
dnl ********************************************************************** dnl **********************************************************************
@ -2925,7 +2931,7 @@ case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$MBEDTLS_ENABLED$WOLFSSL_ENABL
in in
x) x)
AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.]) AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-nss, --with-schannel, --with-secure-transport, --with-mesalink, --with-amissl or --with-bearssl to address this.]) AC_MSG_WARN([Use --with-openssl, --with-gnutls, --with-wolfssl, --with-mbedtls, --with-nss, --with-schannel, --with-secure-transport, --with-mesalink, --with-amissl, --with-bearssl or --with-rustls to address this.])
;; ;;
x1) x1)
# one SSL backend is enabled # one SSL backend is enabled

6
docs/HTTP3.md
View File

@ -65,7 +65,7 @@ Build curl
% git clone https://github.com/curl/curl % git clone https://github.com/curl/curl
% cd curl % cd curl
% ./buildconf % ./buildconf
% LDFLAGS="-Wl,-rpath,<somewhere1>/lib" ./configure --with-ssl=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3> % LDFLAGS="-Wl,-rpath,<somewhere1>/lib" ./configure --with-openssl=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3>
% make % make
## Build with GnuTLS ## Build with GnuTLS
@ -105,7 +105,7 @@ Build curl
% git clone https://github.com/curl/curl % git clone https://github.com/curl/curl
% cd curl % cd curl
% ./buildconf % ./buildconf
% ./configure --without-ssl --with-gnutls=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3> % ./configure --without-openssl --with-gnutls=<somewhere1> --with-nghttp3=<somewhere2> --with-ngtcp2=<somewhere3>
% make % make
# quiche version # quiche version
@ -126,7 +126,7 @@ Build curl:
% git clone https://github.com/curl/curl % git clone https://github.com/curl/curl
% cd curl % cd curl
% ./buildconf % ./buildconf
% ./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-ssl=$PWD/../quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release % ./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release
% make % make
## Run ## Run

34
docs/INSTALL.md
View File

@ -59,21 +59,21 @@ explicitly told not to. If you have OpenSSL installed in the default search
path for your compiler/linker, you don't need to do anything special. If you path for your compiler/linker, you don't need to do anything special. If you
have OpenSSL installed in `/usr/local/ssl`, you can run configure like: have OpenSSL installed in `/usr/local/ssl`, you can run configure like:
./configure --with-ssl ./configure --with-openssl
If you have OpenSSL installed somewhere else (for example, `/opt/OpenSSL`) and If you have OpenSSL installed somewhere else (for example, `/opt/OpenSSL`) and
you have pkg-config installed, set the pkg-config path first, like this: you have pkg-config installed, set the pkg-config path first, like this:
env PKG_CONFIG_PATH=/opt/OpenSSL/lib/pkgconfig ./configure --with-ssl env PKG_CONFIG_PATH=/opt/OpenSSL/lib/pkgconfig ./configure --with-openssl
Without pkg-config installed, use this: Without pkg-config installed, use this:
./configure --with-ssl=/opt/OpenSSL ./configure --with-openssl=/opt/OpenSSL
If you insist on forcing a build without SSL support, even though you may If you insist on forcing a build without SSL support, even though you may
have OpenSSL installed in your system, you can run configure like this: have OpenSSL installed in your system, you can run configure like this:
./configure --without-ssl ./configure --without-openssl
If you have OpenSSL installed, but with the libraries in one place and the If you have OpenSSL installed, but with the libraries in one place and the
header files somewhere else, you have to set the `LDFLAGS` and `CPPFLAGS` header files somewhere else, you have to set the `LDFLAGS` and `CPPFLAGS`
@ -86,7 +86,7 @@ If you have shared SSL libs installed in a directory where your run-time
linker doesn't find them (which usually causes configure failures), you can linker doesn't find them (which usually causes configure failures), you can
provide this option to gcc to set a hard-coded path to the run-time linker: provide this option to gcc to set a hard-coded path to the run-time linker:
LDFLAGS=-Wl,-R/usr/local/ssl/lib ./configure --with-ssl LDFLAGS=-Wl,-R/usr/local/ssl/lib ./configure --with-openssl
## More Options ## More Options
@ -112,14 +112,14 @@ want to alter it, you can select how to deal with each individual library.
The default OpenSSL configure check will also detect and use BoringSSL or The default OpenSSL configure check will also detect and use BoringSSL or
libressl. libressl.
- GnuTLS: `--without-ssl --with-gnutls`. - GnuTLS: `--without-openssl --with-gnutls`.
- wolfSSL: `--without-ssl --with-wolfssl` - wolfSSL: `--without-openssl --with-wolfssl`
- NSS: `--without-ssl --with-nss` - NSS: `--without-openssl --with-nss`
- mbedTLS: `--without-ssl --with-mbedtls` - mbedTLS: `--without-openssl --with-mbedtls`
- schannel: `--without-ssl --with-schannel` - schannel: `--without-openssl --with-schannel`
- secure transport: `--without-ssl --with-secure-transport` - secure transport: `--without-openssl --with-secure-transport`
- MesaLink: `--without-ssl --with-mesalink` - MesaLink: `--without-openssl --with-mesalink`
- BearSSL: `--without-ssl --with-bearssl` - BearSSL: `--without-openssl --with-bearssl`
# Windows # Windows
@ -267,7 +267,7 @@ Windows you should choose another SSL backend such as OpenSSL.
On modern Apple operating systems, curl can be built to use Apple's SSL/TLS On modern Apple operating systems, curl can be built to use Apple's SSL/TLS
implementation, Secure Transport, instead of OpenSSL. To build with Secure implementation, Secure Transport, instead of OpenSSL. To build with Secure
Transport for SSL/TLS, use the configure option `--with-secure-transport` Transport for SSL/TLS, use the configure option `--with-secure-transport`
or `--with-darwin-ssl`. (It is not necessary to use the option `--without-ssl`.) or `--with-darwin-ssl`. (It is not necessary to use the option `--without-openssl`.)
When Secure Transport is in use, the curl options `--cacert` and `--capath` When Secure Transport is in use, the curl options `--cacert` and `--capath`
and their libcurl equivalents, will be ignored, because Secure Transport uses and their libcurl equivalents, will be ignored, because Secure Transport uses
@ -358,8 +358,8 @@ OpenSSL, follow the OpenSSL build instructions and then install `libssl.a` and
`libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy `include/openssl` to `libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy `include/openssl` to
`$TOOLCHAIN/sysroot/usr/include`. Now you can build curl for Android using `$TOOLCHAIN/sysroot/usr/include`. Now you can build curl for Android using
OpenSSL like this: OpenSSL like this:
./configure --host aarch64-linux-android --with-pic --disable-shared --with-ssl="$TOOLCHAIN/sysroot/usr" ./configure --host aarch64-linux-android --with-pic --disable-shared --with-openssl="$TOOLCHAIN/sysroot/usr"
Note, however, that you must target at least Android M (API level 23) or `configure` Note, however, that you must target at least Android M (API level 23) or `configure`
won't be able to detect OpenSSL since `stderr` (and the like) weren't defined won't be able to detect OpenSSL since `stderr` (and the like) weren't defined
@ -438,7 +438,7 @@ use, here are some other flags that can reduce the size of the library:
- `--enable-hidden-symbols` (eliminates unneeded symbols in the shared library) - `--enable-hidden-symbols` (eliminates unneeded symbols in the shared library)
- `--without-libidn` (disables support for the libidn DNS library) - `--without-libidn` (disables support for the libidn DNS library)
- `--without-librtmp` (disables support for RTMP) - `--without-librtmp` (disables support for RTMP)
- `--without-ssl` (disables support for SSL/TLS) - `--without-openssl` (disables support for SSL/TLS)
- `--without-zlib` (disables support for on-the-fly decompression) - `--without-zlib` (disables support for on-the-fly decompression)
The GNU compiler and linker have a number of options that can reduce the The GNU compiler and linker have a number of options that can reduce the

10
docs/TODO
View File

@ -112,7 +112,7 @@
13.4 Cache/share OpenSSL contexts 13.4 Cache/share OpenSSL contexts
13.5 Export session ids 13.5 Export session ids
13.6 Provide callback for cert verification 13.6 Provide callback for cert verification
13.7 improve configure --with-ssl 13.7 improve configure --with-openssl
13.8 Support DANE 13.8 Support DANE
13.9 TLS record padding 13.9 TLS record padding
13.10 Support Authority Information Access certificate extension (AIA) 13.10 Support Authority Information Access certificate extension (AIA)
@ -769,10 +769,12 @@
certificate, but this doesn't seem to be exposed in the libcurl APIs. Could certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
it be? There's so much that could be done if it were! it be? There's so much that could be done if it were!
13.7 improve configure --with-ssl 13.7 improve configure --with-openssl
make the configure --with-ssl option first check for OpenSSL, then GnuTLS, Consider making the configure script not guess which TLS library to use (as
then NSS... it makes it harder to purposely select another library than the default).
Maybe require specific TLS library option(s) or an explicit no-TLS-at-all
option.
13.8 Support DANE 13.8 Support DANE

4
tests/testcurl.pl
View File

@ -6,7 +6,7 @@
# | (__| |_| | _ <| |___ # | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____| # \___|\___/|_| \_\_____|
# #
# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. # Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
# #
# This software is licensed as described in the file COPYING, which # This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms # you should have received as part of this distribution. The terms
@ -306,7 +306,7 @@ if (!$desc) {
if (!$confopts) { if (!$confopts) {
if ($infixed < 4) { if ($infixed < 4) {
print "please enter your additional arguments to configure\n"; print "please enter your additional arguments to configure\n";
print "examples: --with-ssl --enable-debug --enable-ipv6 --with-krb4\n"; print "examples: --with-openssl --enable-debug --enable-ipv6\n";
$confopts = <>; $confopts = <>;
chomp $confopts; chomp $confopts;
} }