TLS: remove support for Secure Transport and BearSSL #16677
Closed
+163
−5,036
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
cmdline tool
tests
libcurl API
CI
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
66c232f to
ca44be0
Compare
|
5000 lines removed. Nice. |
vszakats
added a commit
to vszakats/curl
that referenced
this pull request
Mar 29, 2025
Follow-up to 8adee88 curl#16862 Follow-up to 8b1b5cd curl#16660 Ref: curl#16677
bagder
added a commit
that referenced
this pull request
Apr 5, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
8e8bea3 to
1951498
Compare
bagder
added a commit
that referenced
this pull request
Apr 7, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
1951498 to
d8d3974
Compare
|
What is the recommended library for Apple platforms? LibreSSL? |
The situation among OpenSSL and its forks is a little chaotic. There does not seem to be a single given winner but depends on what you need and prefer. Clearly Apple themselves like LibreSSL as that is what they use for curl shipped with macOS. |
bagder
added a commit
that referenced
this pull request
Apr 9, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
d8d3974 to
068f2c2
Compare
|
Makes sense. FWIW it is possible to use |
|
As the guy that originally wrote the Secure Transport back-end, it had a good run, and I understand why it’s about time for it to go. I wish it would have worked out differently, but Apple must have had their reasons to stop working on it, and there’s nothing I can do about that. 🫡 |
|
In case anyone is wondering, it is possible for libcurl to use Network.framework for TLS while still using BSD sockets internally. However, that’s out of scope for this PR and a non-trivial task. |
bagder
added a commit
that referenced
this pull request
Apr 16, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
068f2c2 to
d3df1dc
Compare
bagder
added a commit
that referenced
this pull request
Apr 27, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
d3df1dc to
62c448e
Compare
bagder
added a commit
that referenced
this pull request
May 7, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
62c448e to
3d19c95
Compare
bagder
added a commit
that referenced
this pull request
May 12, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
3d19c95 to
7276ffd
Compare
bagder
added a commit
that referenced
this pull request
May 26, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
7276ffd to
637c43d
Compare
This comment was marked as outdated.
This comment was marked as outdated.
vszakats
reviewed
May 26, 2025
vszakats
reviewed
May 26, 2025
bagder
added a commit
that referenced
this pull request
May 29, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
6c24bc1 to
baf4cb1
Compare
|
Due to get merged after 8.14.1 has shipped. |
22 tasks
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes #16677
bagder
force-pushed
the
bagder/rm-non-tls13
branch
from
baf4cb1 to
0060f16
Compare
vszakats
added a commit
that referenced
this pull request
Jun 14, 2025
denandz
pushed a commit
to denandz/curl
that referenced
this pull request
Jun 21, 2025
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3. Closes curl#16677
denandz
pushed a commit
to denandz/curl
that referenced
this pull request
Jun 21, 2025
Follow-up to 08a3e8e curl#16677 Closes curl#17582
denandz
pushed a commit
to denandz/curl
that referenced
this pull request
Jun 21, 2025
`CURLOPT_SSL_FALSESTART` / `--false-start`, Secure Transport, BearSSL, GSKit, MesaLink, NSS. Follow-up to 1e2e808 curl#17595 Follow-up to 08a3e8e curl#16677 Closes curl#17605
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These libraries do not support TLS 1.3 and have been marked for removal for over a year. We want to help users select a TLS dependency that is future-proof and reliable, and not supporting TLS 1.3 in 2025 does not infer confidence. Users who build libcurl are likely to be served better and get something more future-proof with a TLS library that supports 1.3.
Targeted for merge after May 2025.