axtls: removed

As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.

Use a better supported TLS library!

Assisted-by: Daniel Gustafsson

CMakeLists.txt

@@ -291,7 +291,7 @@ if(WIN32)
 endif()
 
 # check SSL libraries
-# TODO support GNUTLS, NSS, POLARSSL, AXTLS, CYASSL
+# TODO support GNUTLS, NSS, POLARSSL, CYASSL
 
 if(APPLE)
   option(CMAKE_USE_DARWINSSL "enable Apple OS native SSL/TLS" OFF)

configure.ac

@@ -158,7 +158,7 @@ AC_SUBST(PKGADD_VENDOR)
 
 dnl
 dnl initialize all the info variables
-    curl_ssl_msg="no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl,mesalink} )"
+    curl_ssl_msg="no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,winssl,darwinssl,mesalink} )"
     curl_ssh_msg="no      (--with-libssh2)"
    curl_zlib_msg="no      (--with-zlib)"
  curl_brotli_msg="no      (--with-brotli)"
@@ -2631,70 +2631,10 @@ if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then
   test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 fi
 
-OPT_AXTLS=off
-
-AC_ARG_WITH(axtls,dnl
-AC_HELP_STRING([--with-axtls=PATH],[Where to look for axTLS, PATH points to the axTLS installation prefix (default: /usr/local).  Ignored if another SSL engine is selected.])
-AC_HELP_STRING([--without-axtls], [disable axTLS]),
-  OPT_AXTLS=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_AXTLS" != xno; then
-  ssl_msg=
-  if test X"$OPT_AXTLS" != Xno; then
-    dnl backup the pre-axtls variables
-    CLEANLDFLAGS="$LDFLAGS"
-    CLEANCPPFLAGS="$CPPFLAGS"
-    CLEANLIBS="$LIBS"
-
-    case "$OPT_AXTLS" in
-    yes)
-      dnl --with-axtls (without path) used
-      PREFIX_AXTLS=/usr/local
-      LIB_AXTLS="$PREFIX_AXTLS/lib"
-      LDFLAGS="$LDFLAGS -L$LIB_AXTLS"
-      CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include"
-      ;;
-    off)
-      dnl no --with-axtls option given, just check default places
-      PREFIX_AXTLS=
-      ;;
-    *)
-      dnl check the given --with-axtls spot
-      PREFIX_AXTLS=$OPT_AXTLS
-      LIB_AXTLS="$PREFIX_AXTLS/lib"
-      LDFLAGS="$LDFLAGS -L$LIB_AXTLS"
-      CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include"
-      ;;
-    esac
-
-    AC_CHECK_LIB(axtls, ssl_version,[
-      LIBS="-laxtls $LIBS"
-      AC_DEFINE(USE_AXTLS, 1, [if axTLS is enabled])
-      AC_SUBST(USE_AXTLS, [1])
-      AXTLS_ENABLED=1
-      check_for_ca_bundle=1
-      USE_AXTLS="yes"
-      ssl_msg="axTLS"
-      test axtls != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
-
-      if test "x$cross_compiling" != "xyes"; then
-        CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$LIB_AXTLS"
-        export CURL_LIBRARY_PATH
-        AC_MSG_NOTICE([Added $LIB_AXTLS to CURL_LIBRARY_PATH])
-      fi
-      ],[
-      LDFLAGS="$CLEANLDFLAGS"
-      CPPFLAGS="$CLEANCPPFLAGS"
-      LIBS="$CLEANLIBS"
-    ])
-  fi
-  test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
-fi
-
-case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$POLARSSL_ENABLED$MBEDTLS_ENABLED$AXTLS_ENABLED$CYASSL_ENABLED$WINSSL_ENABLED$DARWINSSL_ENABLED$MESALINK_ENABLED" in
+case "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED$POLARSSL_ENABLED$MBEDTLS_ENABLED$CYASSL_ENABLED$WINSSL_ENABLED$DARWINSSL_ENABLED$MESALINK_ENABLED" in
 x)
   AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
-  AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, --with-darwinssl, or --with-mesalink to address this.])
+  AC_MSG_WARN([Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-winssl, --with-darwinssl, or --with-mesalink to address this.])
   ;;
 x1)
   # one SSL backend is enabled
@@ -3122,8 +3062,6 @@ AC_HELP_STRING([--disable-versioned-symbols], [Disable versioned symbols in shar
           versioned_symbols_flavour="POLARSSL_"
         elif test "x$CYASSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="CYASSL_"
-        elif test "x$AXTLS_ENABLED" = "x1"; then
-          versioned_symbols_flavour="AXTLS_"
         elif test "x$WINSSL_ENABLED" = "x1"; then
           versioned_symbols_flavour="WINSSL_"
         elif test "x$DARWINSSL_ENABLED" = "x1"; then

docs/DEPRECATE.md

@@ -5,32 +5,6 @@ email the curl-library mailing list as soon as possible and explain to us why
 this is a problem for you and how your use case can't be satisfied properly
 using a work around.
 
-## axTLS backend
-
-Here are some complaints on axTLS.
-
- - home page without HTTPS
- - [doesn't support modern TLS features like SNI](https://github.com/dsheets/axtls/issues/2)
- - [lacks support for modern ciphers](https://github.com/micropython/micropython/issues/3198)
- - [doesn't allow for outside bug report submissions](https://sourceforge.net/p/axtls/bugs/)
- - there's virtually no discussion about it in its [forum](https://sourceforge.net/p/axtls/discussion/)
-   nor [mailing list](https://sourceforge.net/p/axtls/mailman/axtls-general/)
-
-Combined, this list hints that this is not a library and project we should
-recommend to users.
-
-### State
-
-Since June 1st, 2018 (curl 7.61.0) axTLS support is disabled in code and
-requires a small code change to build without errors. [See
-PR](https://github.com/curl/curl/pull/2628)
-
-### Removal
-
-Remove all axTLS related code from curl on December 1st, exactly six months
-after previously mentioned commit. To be shipped on December 26, 2018
-(possibly called version 7.64.0)
-
 ## HTTP pipelining
 
 HTTP pipelining is badly supported by curl in the sense that we have bugs and

docs/FAQ

@@ -447,7 +447,7 @@ FAQ
   backends.
 
   curl can be built to use one of the following SSL alternatives: OpenSSL,
-  GnuTLS, yassl, NSS, PolarSSL, axTLS, Secure Transport (native iOS/OS X),
+  GnuTLS, yassl, NSS, PolarSSL, MesaLink, Secure Transport (native iOS/OS X),
   WinSSL (native Windows) or GSKit (native IBM i). They all have their pros
   and cons, and we try to maintain a comparison of them here:
   https://curl.haxx.se/docs/ssl-compared.html

docs/FEATURES

@@ -183,8 +183,7 @@ IMAPS (*1)
 FOOTNOTES
 =========
 
-  *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
-       Windows), Secure Transport (native iOS/OS X) or GSKit (native IBM i)
+  *1 = requires a TLS library
   *2 = requires OpenLDAP or WinLDAP
   *3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or
        SSPI (native Windows)
@@ -197,8 +196,7 @@ FOOTNOTES
   *8 = requires libssh2
   *9 = requires OpenSSL, GnuTLS, mbedTLS, NSS, yassl, Secure Transport or SSPI
        (native Windows)
-  *10 = requires any of the SSL libraries in (*1) above other than axTLS, which
-        does not support SSLv3
+  *10 = requires an SSL library that supports SSLv3
   *11 = requires libidn or Windows
   *12 = requires libz
   *13 = requires libmetalink, and either an Apple or Microsoft operating

docs/INSTALL.md

@@ -105,7 +105,6 @@ libressl.
  - NSS: `--without-ssl --with-nss`
  - PolarSSL: `--without-ssl --with-polarssl`
  - mbedTLS: `--without-ssl --with-mbedtls`
- - axTLS: `--without-ssl --with-axtls`
  - schannel: `--without-ssl --with-winssl`
  - secure transport: `--without-ssl --with-darwinssl`
  - MesaLink: `--without-ssl --with-mesalink`

docs/INTERNALS.md

@@ -88,7 +88,6 @@ Dependencies
  - MIT Kerberos 1.2.4
  - GSKit        V5R3M0
  - NSS          3.14.x
- - axTLS        2.1.0
  - PolarSSL     1.3.0
  - Heimdal      ?
  - nghttp2      1.0.0

docs/LICENSE-MIXING.md

@@ -57,10 +57,6 @@ not have the announcement clause that collides with GPL.
  different obligations. You should select the license that best meets your
  needs.
 
-## axTLS
-
- (May be used for SSL/TLS support) Uses a Modified BSD-style license.
-
 ## mbedTLS
 
  (May be used for SSL/TLS support) Uses the [Apache 2.0

docs/examples/Makefile.netware

@@ -27,11 +27,6 @@ ifndef LIBSSH2_PATH
 LIBSSH2_PATH = ../../../libssh2-1.5.0
 endif
 
-# Edit the path below to point to the base of your axTLS package.
-ifndef AXTLS_PATH
-AXTLS_PATH = ../../../axTLS-1.2.7
-endif
-
 # Edit the path below to point to the base of your libidn package.
 ifndef LIBIDN_PATH
 LIBIDN_PATH = ../../../libidn-1.32
@@ -197,14 +192,9 @@ WITH_SSH2 = 1
 WITH_SSL = 1
 WITH_ZLIB = 1
 endif
-ifeq ($(findstring -axtls,$(CFG)),-axtls)
-WITH_AXTLS = 1
-WITH_SSL =
-else
 ifeq ($(findstring -ssl,$(CFG)),-ssl)
 WITH_SSL = 1
 endif
-endif
 ifeq ($(findstring -zlib,$(CFG)),-zlib)
 WITH_ZLIB = 1
 endif
@@ -245,15 +235,6 @@ ifdef WITH_SSL
   LDLIBS += $(OPENSSL_PATH)/out_nw_$(LIBARCH_L)/crypto.$(LIBEXT)
   IMPORTS += GetProcessSwitchCount RunningProcess
 else
-ifdef WITH_AXTLS
-  INCLUDES += -I$(AXTLS_PATH)/inc
-ifdef LINK_STATIC
-  LDLIBS += $(AXTLS_PATH)/lib/libaxtls.$(LIBEXT)
-else
-  MODULES += libaxtls.nlm
-  IMPORTS += $(AXTLS_PATH)/lib/libaxtls.imp
-endif
-endif
 endif
 ifdef WITH_ZLIB
   # INCLUDES += -I$(ZLIB_PATH)

docs/libcurl/curl_global_sslset.3

@@ -41,7 +41,7 @@ typedef enum {
   CURLSSLBACKEND_WOLFSSL = 7,
   CURLSSLBACKEND_SCHANNEL = 8,
   CURLSSLBACKEND_DARWINSSL = 9,
-  CURLSSLBACKEND_AXTLS = 10,
+  CURLSSLBACKEND_AXTLS = 10, /* deprecated */
   CURLSSLBACKEND_MBEDTLS = 11,
   CURLSSLBACKEND_MESALINK = 12
 } curl_sslbackend;

docs/libcurl/libcurl-thread.3

@@ -60,8 +60,6 @@ thread-safe already without anything required.
 Required actions unknown.
 .IP yassl
 Required actions unknown.
-.IP axTLS
-Required actions unknown.
 .IP Secure-Transport
 The engine is used by libcurl in a way that is fully thread-safe.
 .IP WinSSL

docs/libcurl/opts/CURLINFO_TLS_SSL_PTR.3

@@ -54,7 +54,7 @@ struct curl_tlssessioninfo {
 
 The \fIbackend\fP struct member is one of the defines in the CURLSSLBACKEND_*
 series: CURLSSLBACKEND_NONE (when built without TLS support),
-CURLSSLBACKEND_AXTLS, CURLSSLBACKEND_CYASSL, CURLSSLBACKEND_DARWINSSL,
+CURLSSLBACKEND_CYASSL, CURLSSLBACKEND_DARWINSSL,
 CURLSSLBACKEND_GNUTLS, CURLSSLBACKEND_GSKIT, CURLSSLBACKEND_MBEDTLS,
 CURLSSLBACKEND_NSS, CURLSSLBACKEND_OPENSSL, CURLSSLBACKEND_POLARSSL,
 CURLSSLBACKEND_SCHANNEL or CURLSSLBACKEND_MESALINK. (Note that the OpenSSL
@@ -77,8 +77,6 @@ CURLINFO_TLS_SSL_PTR: SSL *
 Since 7.48.0 the \fIinternals\fP member can point to these other SSL backends
 as well:
 .RS
-.IP axTLS
-SSL *
 .IP mbedTLS
 mbedtls_ssl_context *
 .IP PolarSSL

docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2016, 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -50,7 +50,7 @@ TLSv1.3
 The maximum TLS version can be set by using \fIone\fP of the
 CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
 CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
-The MAX macros are not supported for SSL backends axTLS or wolfSSL.
+The MAX macros are not supported for WolfSSL.
 .RS
 .IP CURL_SSLVERSION_MAX_DEFAULT
 The flag defines the maximum supported TLS version as TLSv1.2, or the default

docs/libcurl/opts/CURLOPT_SSLVERSION.3

@@ -59,7 +59,7 @@ TLS v1.3 or later (Added in 7.52.0)
 The maximum TLS version can be set by using \fIone\fP of the
 CURL_SSLVERSION_MAX_ macros below. It is also possible to OR \fIone\fP of the
 CURL_SSLVERSION_ macros with \fIone\fP of the CURL_SSLVERSION_MAX_ macros.
-The MAX macros are not supported for SSL backends axTLS or wolfSSL.
+The MAX macros are not supported for WolfSSL.
 .RS
 .IP CURL_SSLVERSION_MAX_DEFAULT
 The flag defines the maximum supported TLS version by libcurl, or the default

docs/libcurl/symbols-in-versions

@@ -700,7 +700,7 @@ CURLSSH_AUTH_KEYBOARD           7.16.1
 CURLSSH_AUTH_NONE               7.16.1
 CURLSSH_AUTH_PASSWORD           7.16.1
 CURLSSH_AUTH_PUBLICKEY          7.16.1
-CURLSSLBACKEND_AXTLS            7.38.0
+CURLSSLBACKEND_AXTLS            7.38.0       7.61.0
 CURLSSLBACKEND_BORINGSSL        7.49.0
 CURLSSLBACKEND_CYASSL           7.34.0
 CURLSSLBACKEND_DARWINSSL        7.34.0

include/curl/curl.h

@@ -145,7 +145,7 @@ typedef enum {
   CURLSSLBACKEND_WOLFSSL = 7,
   CURLSSLBACKEND_SCHANNEL = 8,
   CURLSSLBACKEND_DARWINSSL = 9,
-  CURLSSLBACKEND_AXTLS = 10,
+  CURLSSLBACKEND_AXTLS = 10, /* never used since 7.63.0 */
   CURLSSLBACKEND_MBEDTLS = 11,
   CURLSSLBACKEND_MESALINK = 12
 } curl_sslbackend;

lib/Makefile.inc

@@ -28,12 +28,12 @@ LIB_VAUTH_CFILES = vauth/vauth.c vauth/cleartext.c vauth/cram.c         \
 LIB_VAUTH_HFILES = vauth/vauth.h vauth/digest.h vauth/ntlm.h
 
 LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c     \
-  vtls/polarssl.c vtls/polarssl_threadlock.c vtls/axtls.c               \
+  vtls/polarssl.c vtls/polarssl_threadlock.c                            \
   vtls/cyassl.c vtls/schannel.c vtls/schannel_verify.c                  \
   vtls/darwinssl.c vtls/gskit.c vtls/mbedtls.c vtls/mesalink.c
 
 LIB_VTLS_HFILES = vtls/openssl.h vtls/vtls.h vtls/gtls.h                \
-  vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h vtls/axtls.h   \
+  vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h                \
   vtls/cyassl.h vtls/schannel.h vtls/darwinssl.h vtls/gskit.h           \
   vtls/mbedtls.h vtls/mesalink.h
 

lib/Makefile.netware

@@ -6,7 +6,7 @@
 #                             \___|\___/|_| \_\_____|
 #
 # Copyright (C) 2004 - 2015, Guenter Knauf
-# Copyright (C) 2001 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 2001 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -49,11 +49,6 @@ ifndef LIBSSH2_PATH
 LIBSSH2_PATH = ../../libssh2-1.5.0
 endif
 
-# Edit the path below to point to the base of your axTLS package.
-ifndef AXTLS_PATH
-AXTLS_PATH = ../../axTLS-1.2.7
-endif
-
 # Edit the path below to point to the base of your libidn package.
 ifndef LIBIDN_PATH
 LIBIDN_PATH = ../../libidn-1.18
@@ -230,10 +225,6 @@ WITH_SSH2 = 1
 WITH_SSL = 1
 WITH_ZLIB = 1
 endif
-ifeq ($(findstring -axtls,$(CFG)),-axtls)
-WITH_AXTLS = 1
-WITH_SSL =
-else
 ifeq ($(findstring -ssl,$(CFG)),-ssl)
 WITH_SSL = 1
 ifeq ($(findstring -srp,$(CFG)),-srp)
@@ -242,7 +233,6 @@ WITH_SRP = 1
 endif
 endif
 endif
-endif
 ifeq ($(findstring -zlib,$(CFG)),-zlib)
 WITH_ZLIB = 1
 endif
@@ -280,16 +270,6 @@ ifdef WITH_SSL
   IMPORTS += GetProcessSwitchCount RunningProcess
   INSTDEP += ca-bundle.crt
 else
-ifdef WITH_AXTLS
-  INCLUDES += -I$(AXTLS_PATH)/inc
-  ifdef LINK_STATIC
-    LDLIBS += $(AXTLS_PATH)/lib/libaxtls.$(LIBEXT)
-  else
-    MODULES += libaxtls.nlm
-    IMPORTS += $(AXTLS_PATH)/lib/libaxtls.imp
-  endif
-  INSTDEP += ca-bundle.crt
-endif
 endif
 ifdef WITH_ZLIB
   INCLUDES += -I$(ZLIB_PATH)
@@ -672,9 +652,6 @@ ifdef WITH_SPNEGO
 	@echo $(DL)#define HAVE_SPNEGO 1$(DL) >> $@
 endif
 else
-ifdef WITH_AXTLS
-	@echo $(DL)#define USE_AXTLS 1$(DL) >> $@
-endif
 endif
 ifdef WITH_SSH2
 	@echo $(DL)#define USE_LIBSSH2 1$(DL) >> $@