On Aug 22, 2025, at 06:19, Daniel Stenberg wrote: > > On Fri, 22 Aug 2025, Ryan Carsten Schmidt wrote: > >>> As a short-term work around, it is possible to use the LibreSSL shipped by >>> Apple to get the feature, but I don't consider that a very good or reliable >>> solution. >> Why? What's bad or unreliable about it? > > Two reasons really: > > 1. Because Apple doesn't seem to enable this easily, it seems shaky to depend > on and risks them changing things subtly that breaks a build.
You're referring to Apple not providing the headers and stub libraries? I agree that's unfortunate. But I will try to use the repository with the missing files posted by Jeroen. (Thanks!) > 2. The list of things LibreSSL doesn't do or doesn't support, that all the > other OpenSSL aleady do, seems to be growing almost daily these days. > Independent of it being the one Apple ships or not. Which curl features don't work with libressl? >> I thought your justification for removing Secure Transport support was that >> support for native certificates via Apple's libressl was available. > > The justification for removing Secure Transport is that it doesn't support > TLS 1.3 and it never will. Yes, I understand that was the reason why you wanted to remove the feature. But every time it was proposed on this mailing list, it was brought up that this removes the capability to access keychain certificates. My recollection is that you countered that Apple's libressl can also access keychain certificates and that Apple's curl uses that libressl thus demonstrating that support for Secure Transport is no longer needed and at least implying that third-party builds of curl could achieve the same thing by using Apple's libressl. Now that you've removed support for Secure Transport you're changing the messaging and saying not to use Apple libressl. At least that is the impression I get. >> If not that, what should we be doing instead? > > We should add support for using the native CA store on macOS to other > backends. If wolfssl already supports it and it can be added to other backends, that's great. Perhaps you mentioned wolfssl support in the previous discussions and I overlooked it. -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
