Bug 1445153 - Switch libcurl back to OpenSSL
Summary: Switch libcurl back to OpenSSL
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact:
URL:
Whiteboard: ChangeAcceptedF27, SystemWideChange
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-25 06:47 UTC by Jan Kurik
Modified: 2021-06-10 12:14 UTC (History)
6 users (show)

Fixed In Version: curl-7.54.0-3.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-14 08:57:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3390021 0 None None None 2018-03-22 16:04:46 UTC

Description Jan Kurik 2017-04-25 06:47:23 UTC
This is a tracking bug for Change: Switch libcurl back to OpenSSL
For more details, see: https://fedoraproject.org//wiki/Changes/libcurlBackToOpenSSL

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography.  After implementing this change, libcurl will use OpenSSL instead of NSS.

Comment 1 Kamil Dudka 2017-04-25 16:21:47 UTC
I am going to push the initial changes to rawhide on Thursday, April 27th.

Comment 2 Kamil Dudka 2017-04-27 09:37:09 UTC
I have pushed the following commits to curl and python-pycurl:

https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=3be7c46f
https://src.fedoraproject.org/cgit/rpms/python-pycurl.git/commit/?id=7f51a765

Comment 3 Alexander Bokovoy 2017-06-28 19:31:01 UTC
Unfortunately, this breaks pretty much whole of FreeIPA.

Comment 4 Kamil Dudka 2017-06-29 06:59:23 UTC
(In reply to Alexander Bokovoy from comment #3)
> Unfortunately, this breaks pretty much whole of FreeIPA.

Could you please share technical details with us?

Comment 5 Alexander Bokovoy 2017-06-29 07:16:52 UTC
See bug 1455561 for details. FreeIPA currently stores certificates in NSS databases and uses libcurl for many internal operations, from enrolling clients to requesting certificates from an integrated CA. Inability to operate on NSS databases not only means we are unable to install new FreeIPA masters in Rawhide, it also means we cannot do any reasonable upgrades from F26.

Comment 6 Kamil Dudka 2017-06-29 07:37:22 UTC
Thanks!  This is a known issue included in Upgrade/compatibility impact at https://fedoraproject.org//wiki/Changes/libcurlBackToOpenSSL

Comment 7 Alexander Bokovoy 2017-06-29 08:54:21 UTC
Unfortunately, including it in the wiki page is not going to help. Working FreeIPA deployment is a release criteria for Fedora Server, so it is important to fix the problem.

As of now, we are basically blocked in doing *any* FreeIPA work in Rawhide.

Comment 8 Kamil Dudka 2017-06-29 09:07:35 UTC
(In reply to Alexander Bokovoy from comment #7)
> As of now, we are basically blocked in doing *any* FreeIPA work in Rawhide.

Then I wonder how it could take two months to notice.  Anyway, the wiki page also states who will help to resolve possible breakages caused by this change and I have already notified those people about the FreeIPA breakage.  And no worries, the wiki page also includes a clear contingency plan ;-)

Comment 9 Alexander Bokovoy 2017-06-29 09:13:02 UTC
Because we haven't been using Rawhide. That's simple.

FreeIPA team was busy for last half a year stabilizing FreeIPA 4.5 release. It took so much effort, we missed Fedora 26 deadlines and concentrated on RHEL 7.4 work instead. Now we are starting to bring the same FreeIPA 4.5 to Fedora (with Rawhide) and got broken.

So right now we would like curl to revert this change.

Comment 10 Kamil Dudka 2017-06-29 09:46:18 UTC
(In reply to Alexander Bokovoy from comment #9)
> So right now we would like curl to revert this change.

Reverting the change in rawhide now would prevent other (more busy) developers from noticing breakages caused by this change in their components.  We need to collect more feedback, so that we can make an informed decision later on.

I will create a copr repository with nss-linked libcurl to unblock your team from working on FreeIPA until the compatibility issue is resolved.

Comment 11 Kamil Dudka 2017-06-29 11:20:24 UTC
(In reply to Kamil Dudka from comment #10)
> I will create a copr repository with nss-linked libcurl to unblock your team
> from working on FreeIPA until the compatibility issue is resolved.

https://copr.fedorainfracloud.org/coprs/kdudka/curl-nss/repo/fedora-rawhide/kdudka-curl-nss-fedora-rawhide.repo

Comment 12 David Woodhouse 2017-07-17 09:22:59 UTC
You can use NSS databases from OpenSSL. They're just PKCS#11 tokens. If you have an appropriate p11-kit .module file they'll be present and working just fine.

Comment 13 Jan Kurik 2017-08-15 09:04:32 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 14 Standa Laznicka 2017-08-18 12:11:57 UTC
FreeIPA's problem should now be resolved in the project's master branch which will be a part of its release to F27.

Comment 15 Kamil Dudka 2017-08-18 12:32:30 UTC
Perfect.  Thank you for working on it!

Comment 16 Jan Kurik 2017-09-06 13:38:00 UTC
On 2017-Sep-05 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 27 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review.

Thanks, Jan

Comment 17 Kamil Dudka 2017-09-06 14:54:09 UTC
Sure, this is 100% complete.  Sorry for not updating the state accordingly.


Note You need to log in before you can comment on or make changes to this bug.