Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: How are folks handling HTTP3 TLS?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ryan Schmidt via curl-distros <curl-distros_at_lists.haxx.se>
Date: Tue, 26 Mar 2024 23:23:43 -0500
On Mar 26, 2024, at 18:27, Daniel Stenberg wrote:
>
> I believe people still use Secure Transport on Apple platforms simply because it removes the need for an external depdenency.
Yes that can be a useful reason. Another reason I've heard is better integration with the Keychain. These would be reasons for adding support for Network framework to curl, so that users can continue to enjoy these benefits while also enjoying the latest TLS security and HTTP features.
> Apple themselves ship curl built with libressl on macOS, no idea what they do on their other OSes. In theory Apple can ship curl with HTTP/3 enabled using a recent libressl whenever they like.
macOS shipped with OpenSSL in the beginning. Later Apple switched to LibreSSL build such that it is compatible with OpenSSL. But the use of this OS-provided library was deprecated in 2011. It's so deprecated that the information about its deprecation was removed from Apple documentation in 2018. Here's the last version from before it disappeared:
https://web.archive.org/web/20171219033209/https://developer.apple.com/library/content/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html
Quoting it here:
> OpenSSL
>
> Although OpenSSL is commonly used in the open source community, OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.
>
> If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app. This use of OpenSSL is possible on both OS X and iOS. However, unless you are trying to maintain source compatibility with an existing open source project, you should generally use a different API.
>
> Common Crypto and Security Transforms are the recommended alternatives for general encryption. CFNetwork and Secure Transport are the recommended alternatives for secure communications.
The above recommendation to use Secure Transport is, of course, also out of date now.
Date: Tue, 26 Mar 2024 23:23:43 -0500
On Mar 26, 2024, at 18:27, Daniel Stenberg wrote:
>
> I believe people still use Secure Transport on Apple platforms simply because it removes the need for an external depdenency.
Yes that can be a useful reason. Another reason I've heard is better integration with the Keychain. These would be reasons for adding support for Network framework to curl, so that users can continue to enjoy these benefits while also enjoying the latest TLS security and HTTP features.
> Apple themselves ship curl built with libressl on macOS, no idea what they do on their other OSes. In theory Apple can ship curl with HTTP/3 enabled using a recent libressl whenever they like.
macOS shipped with OpenSSL in the beginning. Later Apple switched to LibreSSL build such that it is compatible with OpenSSL. But the use of this OS-provided library was deprecated in 2011. It's so deprecated that the information about its deprecation was removed from Apple documentation in 2018. Here's the last version from before it disappeared:
https://web.archive.org/web/20171219033209/https://developer.apple.com/library/content/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html
Quoting it here:
> OpenSSL
>
> Although OpenSSL is commonly used in the open source community, OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.
>
> If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app. This use of OpenSSL is possible on both OS X and iOS. However, unless you are trying to maintain source compatibility with an existing open source project, you should generally use a different API.
>
> Common Crypto and Security Transforms are the recommended alternatives for general encryption. CFNetwork and Secure Transport are the recommended alternatives for secure communications.
The above recommendation to use Secure Transport is, of course, also out of date now.
-- curl-distros mailing list curl-distros_at_lists.haxx.se https://lists.haxx.se/mailman/listinfo/curl-distrosReceived on 2024-03-27