Bug 1445153

Summary: Switch libcurl back to OpenSSL
Product: [Fedora] Fedora Reporter: Jan Kurik <jkurik>
Component: Changes TrackingAssignee: Kamil Dudka <kdudka>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, david.abdurachmanov, dwmw2, hartsjc, kdudka, slaznick
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ChangeAcceptedF27, SystemWideChange
Fixed In Version: curl-7.54.0-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-14 08:57:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Kurik 2017-04-25 06:47:23 UTC 
This is a tracking bug for Change: Switch libcurl back to OpenSSL
For more details, see: https://fedoraproject.org//wiki/Changes/libcurlBackToOpenSSL

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography.  After implementing this change, libcurl will use OpenSSL instead of NSS.
Comment 1 Kamil Dudka 2017-04-25 16:21:47 UTC 
I am going to push the initial changes to rawhide on Thursday, April 27th.
Comment 2 Kamil Dudka 2017-04-27 09:37:09 UTC 
I have pushed the following commits to curl and python-pycurl:

https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=3be7c46f
https://src.fedoraproject.org/cgit/rpms/python-pycurl.git/commit/?id=7f51a765
Comment 3 Alexander Bokovoy 2017-06-28 19:31:01 UTC 
Unfortunately, this breaks pretty much whole of FreeIPA.
Comment 4 Kamil Dudka 2017-06-29 06:59:23 UTC 
(In reply to Alexander Bokovoy from comment #3)
> Unfortunately, this breaks pretty much whole of FreeIPA.

Could you please share technical details with us?
Comment 5 Alexander Bokovoy 2017-06-29 07:16:52 UTC 
See bug 1455561 for details. FreeIPA currently stores certificates in NSS databases and uses libcurl for many internal operations, from enrolling clients to requesting certificates from an integrated CA. Inability to operate on NSS databases not only means we are unable to install new FreeIPA masters in Rawhide, it also means we cannot do any reasonable upgrades from F26.
Comment 6 Kamil Dudka 2017-06-29 07:37:22 UTC 
Thanks!  This is a known issue included in Upgrade/compatibility impact at https://fedoraproject.org//wiki/Changes/libcurlBackToOpenSSL
Comment 7 Alexander Bokovoy 2017-06-29 08:54:21 UTC 
Unfortunately, including it in the wiki page is not going to help. Working FreeIPA deployment is a release criteria for Fedora Server, so it is important to fix the problem.

As of now, we are basically blocked in doing *any* FreeIPA work in Rawhide.
Comment 8 Kamil Dudka 2017-06-29 09:07:35 UTC 
(In reply to Alexander Bokovoy from comment #7)
> As of now, we are basically blocked in doing *any* FreeIPA work in Rawhide.

Then I wonder how it could take two months to notice.  Anyway, the wiki page also states who will help to resolve possible breakages caused by this change and I have already notified those people about the FreeIPA breakage.  And no worries, the wiki page also includes a clear contingency plan ;-)
Comment 9 Alexander Bokovoy 2017-06-29 09:13:02 UTC 
Because we haven't been using Rawhide. That's simple.

FreeIPA team was busy for last half a year stabilizing FreeIPA 4.5 release. It took so much effort, we missed Fedora 26 deadlines and concentrated on RHEL 7.4 work instead. Now we are starting to bring the same FreeIPA 4.5 to Fedora (with Rawhide) and got broken.

So right now we would like curl to revert this change.
Comment 10 Kamil Dudka 2017-06-29 09:46:18 UTC 
(In reply to Alexander Bokovoy from comment #9)
> So right now we would like curl to revert this change.

Reverting the change in rawhide now would prevent other (more busy) developers from noticing breakages caused by this change in their components.  We need to collect more feedback, so that we can make an informed decision later on.

I will create a copr repository with nss-linked libcurl to unblock your team from working on FreeIPA until the compatibility issue is resolved.
Comment 11 Kamil Dudka 2017-06-29 11:20:24 UTC 
(In reply to Kamil Dudka from comment #10)
> I will create a copr repository with nss-linked libcurl to unblock your team
> from working on FreeIPA until the compatibility issue is resolved.

https://copr.fedorainfracloud.org/coprs/kdudka/curl-nss/repo/fedora-rawhide/kdudka-curl-nss-fedora-rawhide.repo
Comment 12 David Woodhouse 2017-07-17 09:22:59 UTC 
You can use NSS databases from OpenSSL. They're just PKCS#11 tokens. If you have an appropriate p11-kit .module file they'll be present and working just fine.
Comment 13 Jan Kurik 2017-08-15 09:04:32 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 14 Standa Laznicka 2017-08-18 12:11:57 UTC 
FreeIPA's problem should now be resolved in the project's master branch which will be a part of its release to F27.
Comment 15 Kamil Dudka 2017-08-18 12:32:30 UTC 
Perfect.  Thank you for working on it!
Comment 16 Jan Kurik 2017-09-06 13:38:00 UTC 
On 2017-Sep-05 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 27 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review.

Thanks, Jan
Comment 17 Kamil Dudka 2017-09-06 14:54:09 UTC 
Sure, this is 100% complete.  Sorry for not updating the state accordingly.