[Buildroot] [PATCH] libcurl: Allow selection of TLS package libcurl will use

Peter Korsgaard peter at korsgaard.com
Thu Nov 8 21:33:16 UTC 2018


>>>>> "Trent" == Trent Piepho <tpiepho at impinj.com> writes:

 > Instead of defaulting to OpenSSL, allow selection of package to use
 > through a choice in libcurl's config.  The default will be to select the
 > first enabled TLS provider in the same preference order as is used now,
 > i.e. no change from current behavior.

 > Some of the alternative libraries have advantages over OpenSSL in
 > certain areas.

 > For example, gnutls has vastly superior PKCS11 support.  One can use
 > client TLS private keys by supplying a PKCS11 URI instead of a private
 > key file name.  The TLS server cert trust store can be a PKCS11 URI,
 > e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
 > Now server certs can be stored in a software and/or hardware HSM(s).
 > This doesn't work with OpenSSL.

 > However, some software only supports OpenSSL for TLS or other crypto
 > functions.  So it might be necessary to enable OpenSSL for that reason.

Ok, nice description.

 > Signed-off-by: Trent Piepho <tpiepho at impinj.com>
 > ---
 >  package/libcurl/Config.in  | 28 ++++++++++++++++++++++++++++
 >  package/libcurl/libcurl.mk | 15 ++++++++-------
 >  2 files changed, 36 insertions(+), 7 deletions(-)

 > diff --git a/package/libcurl/Config.in b/package/libcurl/Config.in
 > index 21c2ee2b7f..0b2334beb9 100644
 > --- a/package/libcurl/Config.in
 > +++ b/package/libcurl/Config.in
 > @@ -19,4 +19,32 @@ config BR2_PACKAGE_LIBCURL_VERBOSE
 >  	help
 >  	  Enable verbose text strings
 
 > +choice
 > +	prompt "SSL/TLS library to use"
 > +	default BR2_PACKAGE_LIBCURL_OPENSSL if BR2_PACKAGE_OPENSSL
 > +	default BR2_PACKAGE_LIBCURL_GNUTLS if BR2_PACKAGE_GNUTLS
 > +	default BR2_PACKAGE_LIBCURL_LIBNSS if BR2_PACKAGE_LIBNSS
 > +	default BR2_PACKAGE_LIBCURL_MBEDTLS if BR2_PACKAGE_MBEDTLS

kconfig defaults to the first available option, so these default .. if
.. can be removed.

> +
 > +config BR2_PACKAGE_LIBCURL_OPENSSL
 > +	bool "OpenSSL"
 > +	depends on BR2_PACKAGE_OPENSSL
 > +
 > +config BR2_PACKAGE_LIBCURL_GNUTLS
 > +	bool "GnuTLS"
 > +	depends on BR2_PACKAGE_GNUTLS
 > +
 > +config BR2_PACKAGE_LIBCURL_LIBNSS
 > +	bool "NSS"
 > +	depends on BR2_PACKAGE_LIBNSS
 > +
 > +config BR2_PACKAGE_LIBCURL_MBEDTLS
 > +	bool "mbed TLS"
 > +	depends on BR2_PACKAGE_MBEDTLS
 > +
 > +config BR2_PACKAGE_LIBCURL_NOSSL
 > +	bool "No SSL/TLS support"

Is there really a use case for building curl without TLS support if one
or more of the libraries are available? If not, then I would simply make
the choice depend on openssl || gnutls || libnss || mbedtls and drop
this nossl option.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list