From Fedora Project Wiki
(Release Notes)
m (Benefit to Fedora: typo fix: cpryto -> crypto)
 
Line 37: Line 37:
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Smaller base image, fewer cpryto libraries inside.
+
Smaller base image, fewer crypto libraries inside.
+
 
 
 
 
== Scope ==
 
== Scope ==
 
* Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)
 
* Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)

Latest revision as of 12:21, 4 November 2017

Switch libcurl back to OpenSSL

Summary

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.

Owner

  • Name: Kamil Dudka
  • Email: kdudka@redhat.com
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka


Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-11-04
  • Tracker bug: #1445153

Detailed Description

In order to make even smaller Fedora base images, it was proposed to switch libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now deprecated and libcurl is the only package that pulls NSS as its dependency into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we could create Fedora base image that contains fewer crypto libraries inside.


Benefit to Fedora

Smaller base image, fewer crypto libraries inside.

Scope

  • Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)
  • Other developers: psabata, ignatenko, sgallagh (will help to resolve possible breakages caused by the patch)
  • Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept).
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • Firefox certificate database can no longer be used by (lib)curl-based applications.
  • Existing certificate databases need to be dumped to files to be used by (lib)curl.

How To Test

All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested. No special HW is needed, assuming that OpenSSL itself is tested.

User Experience

See Upgrade/compatibility impact above.

Dependencies

dnf, librepo, systemd, git, etc.

Contingency Plan

  • Contingency mechanism: switch libcurl back to NSS
  • Contingency deadline: Fedora 27 Alpha freeze
  • Blocks release? No.
  • Blocks product? No.

Documentation

Downstream only change. Upstream supports both the libraries.

Release Notes

libcurl will use OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in NSS database need to be exported to files for libcurl to be able to load them.