[curl] Please allow to curl build against LibreSSL (=OpenSSL fork)

[Qriist]

Is your feature request related to a problem? Please describe.

For a number of reasons, @bagder has begun to ship curl's "default" Windows binaries built against LibreSSL instead of OpenSSL. Please allow vcpkg's curl to build against LibreSSL, as well.

Proposed solution

Please enable building against LibreSSL.

Describe alternatives you've considered

No response

Additional context

Despite being the namesake fork, OpenSSL appears to be falling out of favor with curl development.

While I don't in any way speak for curl, the factors that support this insight are:

1. Bagder openly blogging about OpenSSL having markedly inferior performance metrics compared to other HTTP3 providers
2. Bagder's detailed description of OpenSSL's headstrong attitutude surrounding its HTTP3 implementation
3. Curl's aforementioned switch to LibreSSL in their provided binaries.

[dg0yt]

(Community feedback:)

You can do that already: vcpkg install curl[libressl]

If you do not want multi-ssl, you can try vcpkg install curl[core,libressl]. However, as soon as a a reverse dependency wants default features of curl, or explicitly asks for feature ssl, second ssl backend might be activated as the platform's default choice.

Repeating the points from #42622 (comment):

ATM port curl is built on multi-ssl support, and the incompatibility between HTTP3 and multi-ssl is known to contributors and maintainers.
vcpkg doesn't have good support for alternatives. This includes

• applying single-ssl with easy choice of the desired ssl backend in port curl,
• building alternative ssl libs in vcpkg CI when they provide the same (openssl) headers and symbols.
  (Note that vcpkg CI really builds the whole universe of packages for a single install root. Changing the primary ssl lib in vcpkg has a much larger cone of destruction than changing the primary ssl lib in curl only.)

AFAICS a general switch of the default ssl lib is probably too risky due to the impact on existing user projects, apart from the number of changes needed to ports in vcpkg.

[Qriist]

(Community feedback:)

You can do that already: vcpkg install curl[libressl]

If you do not want multi-ssl, you can try vcpkg install curl[core,libressl]. However, as soon as a a reverse dependency wants default features of curl, or explicitly asks for feature ssl, second ssl backend might be activated as the platform's default choice.

Hi, thanks for your feedback! Respectfully, this does not seem to be the case. When I run vcpkg search curl there is no LibreSSL option.

azure-core-cpp[curl]                      Libcurl HTTP transport implementation
cfitsio[curl]                             UseCurl
cocoyaxi[libcurl]                         libcurl with OpenSSL support
configcat[network]                        Use curl for network
cpr                      1.11.1           C++ Requests is a simple wrapper around libcurl inspired by the excellent ...
cpr[ssl]                                  Enable SSL support
curl                     8.11.0#1         A library for transferring data with URLs
curl[brotli]                              brotli support (brotli)
curl[c-ares]                              c-ares support
curl[gnutls]                              SSL support (gnutls)
curl[gsasl]                               GSASL support (libgsasl)
curl[gssapi]                              krb5 support
curl[http2]                               HTTP2 support
curl[idn]                                 Default IDN support
curl[idn2]                                idn2 support (libidn2)
curl[ldap]                                LDAP support
curl[mbedtls]                             SSL support (mbedTLS)
curl[non-http]                            Enables protocols beyond HTTP/HTTPS/HTTP2
curl[openssl]                             SSL support (OpenSSL)
curl[psl]                                 Use psl support (libpsl)
curl[schannel]                            SSL support (Secure Channel)
curl[sectransp]                           SSL support (sectransp)
curl[ssh]                                 SSH support via libssh2
curl[ssl]                                 Default SSL backend
curl[sspi]                                SSPI support
curl[tool]                                Builds curl executable
curl[websockets]                          WebSocket support
curl[winidn]                              WinIDN support
curl[winldap]                             Obsolete. Use feature 'ldap' instead.
curl[winssl]                              Legacy name for schannel
curl[wolfssl]                             SSL support (wolfSSL)
curl[zstd]                                ZStandard support (zstd)
curlcpp                  3.1#1            An object oriented C++ wrapper for CURL (libcurl)
curlpp                   2018-06-15#10    C++ wrapper around libcURL
czmq[curl]                                Build with libcurl
gdal[curl]                                Enable CURL network support
juce[curl]                                Enable CURL support
libcurl-simple-https     2022-02-14       Very simple HTTPS interface built atop libcurl
librdkafka[curl]                          Build with curl
oatpp-curl               1.3.0#1          Oat++ Modern web framework curl module to use libcurl as a RequestExecutor...
poppler[curl]                             curl for poppler
restclient-cpp           2024-01-09       Simple REST client for C++. It wraps libcurl for HTTP requests.
vsgxchange[curl]                          Enable support for reading image and model files from http:// and https://
The result may be outdated. Run `git pull` to get the latest results.
If your port is not listed, please open an issue at and/or consider making a pull request.  -  https://github.com/Microsoft/vcpkg/issues

Correspondingly, running vcpkg install curl[core,libressl]:x64-windows immediately fails due to not having that feature.

Before posting this, I did tinker with manually building LibreSSL "upstream" of curl but then curl generally failed to build as soon as any curl feature wanted OpenSSL, even if I didn't explicitly ask for OpenSSL myself. Those components seem to want the OpenSSL rather than being happy with something that's overall OpenSSL-like.

I'm sure there's plenty of configuration options I'm unaware of so I'm open to any suggestions you might have.

[dg0yt]

running vcpkg install curl[core,libressl]:x64-windows immediately fails due to not having that feature.

You are right. I'm sorry for this oversight.

I have to come back to the topics of "alternatives". ATM vcpkg doesn't allow to install the ports openssl and libressl at the same time. That's why port libressl is normally skipped in vcpkg CI. And that's why port libressl was poorly maintained in the past (and maybe still is).

In september I submitted a PR which improved the quality of port libressl, with temporary testing in vcpkg CI, including using libressl (instead of openssl) in curl: #41083. This PR (temporarily) applied a variation of the accepted (but possibly incovenient) pattern of dealing with alternatives: It (temporarily) turned port openssl in an empty artifact, doing nothing but pulling in libressl via dependency. This is the first commit in the series: 039ec7f (reverted by the last commit).

Basically this is how you can build curl with libressl instead of openssl now: Provide an empty overlay port for openssl which depends on libressl.
https://learn.microsoft.com/vcpkg/concepts/overlay-ports
https://devblogs.microsoft.com/cppblog/using-system-package-manager-dependencies-with-vcpkg/

<path to project>/overlays/openssl/vcpkg.json:

{
  "name": "openssl",
  "version-string": "empty",
  "dependencies": [
    "libressl"
  ]
}

<path to project>/overlays/openssl/portfile.cmake:

set(VCPKG_POLICY_EMPTY_PACKAGE enabled)

[Qriist]

You are right. I'm sorry for this oversight.

All good, happens to the best of us! :)

In september I submitted a PR [...] This is the first commit in the series: 039ec7f

Basically this is how you can build curl with libressl instead of openssl now:

I appreciate the deep dive. I wasn't able to do more than glance at what you wrote today, but I plan to give it my full attention tomorrow. I shall report back!

[Qriist]

Basically this is how you can build curl with libressl instead of openssl now: Provide an empty overlay port for openssl which depends on libressl.

I finally got the time to go through what you wrote. Thanks to your excellent explanation I was able to build against LibreSSL on the first attempt with no trouble at all!

Hopefully, this smooth success translates to being easy to include the feature in the curl port.

[dg0yt]

🎉
Thanks for the feedback!

[Qriist]

Updating to say, the LibreSSL overlay introduces a major issue where (specifically) WolfSSL doesn't function at all, despite not displaying any build warnings or crashing during run.

Sending any https requests fail with error 35, SSL connect error. Meanwhile, the error buffer contains the following message: SSL_connect failed with error -173: Bad function argument. Presumably, this means the internal API doesn't quite line up as expected while LibreSSL is present.

The other 4 SSLs (GnuTLS/mbedTLS/LibreSSL/Schannel) do work as expected in this configuration.

That said, I've reverted to building with OpenSSL (+the rest) for the time being.

[Qriist]

Since updating vcpkg today, rebuilding with the overlay has not resulted in the WolfSSL issue detailed above. I don't know if the change relates to anything you've pushed or if my local cache was just bugged, but it's now working. I'll take it for now, lol.

[dg0yt]

Thanks for posting the updates from the hot tests. Without feedback, it is often difficult to assess relevance and maturity of port features.