This is a tracking bug for Change: Switch libcurl back to OpenSSL
For more details, see: https://fedoraproject.org//wiki/Changes/libcurlBackToOpenSSL
libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.
I am going to push the initial changes to rawhide on Thursday, April 27th.
I have pushed the following commits to curl and python-pycurl:
Unfortunately, this breaks pretty much whole of FreeIPA.
(In reply to Alexander Bokovoy from comment #3)
> Unfortunately, this breaks pretty much whole of FreeIPA.
Could you please share technical details with us?
See bug 1455561 for details. FreeIPA currently stores certificates in NSS databases and uses libcurl for many internal operations, from enrolling clients to requesting certificates from an integrated CA. Inability to operate on NSS databases not only means we are unable to install new FreeIPA masters in Rawhide, it also means we cannot do any reasonable upgrades from F26.
Thanks! This is a known issue included in Upgrade/compatibility impact at https://fedoraproject.org//wiki/Changes/libcurlBackToOpenSSL
Unfortunately, including it in the wiki page is not going to help. Working FreeIPA deployment is a release criteria for Fedora Server, so it is important to fix the problem.
As of now, we are basically blocked in doing *any* FreeIPA work in Rawhide.
(In reply to Alexander Bokovoy from comment #7)
> As of now, we are basically blocked in doing *any* FreeIPA work in Rawhide.
Then I wonder how it could take two months to notice. Anyway, the wiki page also states who will help to resolve possible breakages caused by this change and I have already notified those people about the FreeIPA breakage. And no worries, the wiki page also includes a clear contingency plan ;-)
Because we haven't been using Rawhide. That's simple.
FreeIPA team was busy for last half a year stabilizing FreeIPA 4.5 release. It took so much effort, we missed Fedora 26 deadlines and concentrated on RHEL 7.4 work instead. Now we are starting to bring the same FreeIPA 4.5 to Fedora (with Rawhide) and got broken.
So right now we would like curl to revert this change.
(In reply to Alexander Bokovoy from comment #9)
> So right now we would like curl to revert this change.
Reverting the change in rawhide now would prevent other (more busy) developers from noticing breakages caused by this change in their components. We need to collect more feedback, so that we can make an informed decision later on.
I will create a copr repository with nss-linked libcurl to unblock your team from working on FreeIPA until the compatibility issue is resolved.
(In reply to Kamil Dudka from comment #10)
> I will create a copr repository with nss-linked libcurl to unblock your team
> from working on FreeIPA until the compatibility issue is resolved.
You can use NSS databases from OpenSSL. They're just PKCS#11 tokens. If you have an appropriate p11-kit .module file they'll be present and working just fine.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
FreeIPA's problem should now be resolved in the project's master branch which will be a part of its release to F27.
Perfect. Thank you for working on it!
On 2017-Sep-05 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 27 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review.
Sure, this is 100% complete. Sorry for not updating the state accordingly.