On Fri, 22 Aug 2025, Ryan Carsten Schmidt via curl-library wrote:

Which curl features don't work with libressl?

Now I wish we had a list created for this purpose (as me and Viktor have discussed in the past), but there's a whole slew. And not only "curl features", LibreSSL is generally behind in general TLS features. All the other OpenSSL forks tend to support more features earlier.

SSLKEYLOGFILE, ECH and early data are three distinct features I can think of right now that are missing.

But every time it was proposed on this mailing list, it was brought up that this removes the capability to access keychain certificates.

Yes. But since that is something that can be provided for other backends it was never a blocker for removing Secure Transport.

My recollection is that you countered that Apple's libressl can also access keychain certificates and that Apple's curl uses that libressl thus demonstrating that support for Secure Transport is no longer needed and at least implying that third-party builds of curl could achieve the same thing by using Apple's libressl.

That's not how I recall the events, but I don't think it matters.

Now that you've removed support for Secure Transport you're changing the messaging and saying not to use Apple libressl. At least that is the impression I get.

I don't think I have ever suggested using LibreSSL to be a good long-term solution. For any platform. The LibreSSL solution works on macOS as a work-around but is fragile.

I will admit that I thought that someone who cared enough about using the native CA store on macOS would also care enough to work on the implementation for another TLS backend, but clearly I was wrong. I still believe that over time someone will take pity and do what's needed for this.

If wolfssl already supports it and it can be added to other backends, that's great. Perhaps you mentioned wolfssl support in the previous discussions and I overlooked it.

I have mentioned it before, and the PR I linked to the other day also contains the necessary pieces to make this feature reality.

--

 / daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to