On 04/05/2017 09:59 AM, Colin Walters wrote: I'll second this: it looks like libnghttp2 does not pull in any dependencies that wouldn't already be part of any minimal install (just glibc and ld) and its filesystem space is only about 150k uncompressed. It's probably reasonable to keep this in our minimal set for the HTTP2 functionality.

On Wednesday, April 05, 2017 17:09:34 Jan Kurik wrote: I have prepared a draft of the change proposal. Could you please have a look? https://fedoraproject.org/wiki/Changes/libcurlBackToOpenSSL Thanks in advance! Kamil wrote: > > On 04/05/2017 09:59 AM, Colin Walters wrote: > >> On Wed, Apr 5, 2017, at 09:52 AM, Kamil Dudka wrote: > >>> In order to make even smaller Fedora base images, it was proposed to > >>> switch > >>> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which > >>> motivated the switch of libcurl from OpenSSL to NSS ten years ago, is > >>> now > >>> deprecated and libcurl is the only package that pulls NSS as its > >>> dependency > >>> into the Fedora base image. Hence, by switching libcurl back to > >>> OpenSSL, we could create Fedora base image that contains fewer crypto > >>> libraries inside.>> > >> Makes sense to me - from the Atomic Host perspective, we are switching > >> ostree to use libcurl, since libdnf already does (and librepo hard > >> depends > >> on OpenSSL, even though libcurl used NSS). > >> > >>> Additional proposal that would help to reduce the size of base image is > >>> the > >>> libcurl-minimal subpackage, which can be installed installed as a > >>> lightweight replacement of the libcurl package, with smaller size and > >>> fewer dependencies.>> > >> I'm in agreement with this except: > >> > >> # configure minimal build > >> ... > >> > >> --without-nghttp2 > >> > >> I'd really prefer to keep HTTP2 available by default - it can be > >> dramatically better. > > > > I'll second this: it looks like libnghttp2 does not pull in any > > dependencies that wouldn't already be part of any minimal install (just > > glibc and ld) and its filesystem space is only about 150k uncompressed. > > > > It's probably reasonable to keep this in our minimal set for the HTTP2 > > functionality. > > > > > > _______________________________________________ > > devel mailing list -- devel(a)lists.fedoraproject.org > > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org

On Thursday, April 06, 2017 15:00:31 Jan Kurik wrote: Clarified via https://fedoraproject.org/w/index.php?title=Changes%2FlibcurlBackToOpenSS... Thanks for review! Kamil > Thanks, > Jan

On Thu, Apr 6, 2017 at 3:47 PM, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: Thanks Kamil. Looks good IMO. Kamil, please consider the impact on other packages as Stephen suggesting. Once you feel it is ready to go through the process, please switch the category to "ChangeReadyForWrangler" and I will take the next steps in the process. Regards, Jan -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic

On Wednesday, April 05, 2017 10:33:11 Stephen Gallagher wrote: Thanks for the suggestion! I have implemented it in my private branch: http://pkgs.fedoraproject.org/cgit/rpms/curl.git/commit/?id=e8208d3e ... and scheduled a new Copr build with the change included. Anyway, do not overestimate the power of HTTP/2. It will not transparently bring you better transfers for free. You can speak HTTP/2 even while using the curl tool but it is mainly useful for testing. If you want to take the advantage of the HTTP/2 features, you need to use the multi API of libcurl and your software built on top of libcurl needs to be aware of the HTTP/2 protocol. Moreover, the throughput of HTTP/2 can be much lower compared to HTTP/1 if you are communicating over IP network with some packet loss. I would suggest to watch the following talks by Daniel Stenberg to obtain realistic expectations about the HTTP/2 support in libcurl and the HTTP/2 protocol in general: https://thomas.glanzmann.de/curl-meet-2017/2017-03-19_03_Daniel_Stenberg_... https://thomas.glanzmann.de/curl-meet-2017/2017-03-19_08_Daniel_Stenberg_... Kamil

On Wednesday, April 05, 2017 11:38:35 Colin Walters wrote: I cannot see CURLOPT_PIPEWAIT or CURLMOPT_PIPELINING options in your code. They are needed if you want to take advantage of the core HTTP/2 features. Otherwise you can slightly benefit from the compressed HTTP headers but you are not using the HTTP/2 pipelining/multiplexing. I would suggest to have a look at the http2-download.c example: https://github.com/curl/curl/blob/curl-7_53_0/docs/examples/http2-download.c Kamil

On Wednesday, April 05, 2017 18:28:53 Dusty Mabe wrote: Looks good! Kamil > Thanks for your suggestion! > > Dusty

On ke, 05 huhti 2017, Kamil Dudka wrote: It is unclear at which timeframe you want to implement this. I'm concerned with FreeIPA because we use libcurl internally and we are not yet migrated to OpenSSL fully (definitely not yet in F26). We also need to look at what happens with certmonger. -- / Alexander Bokovoy

Hello, Kamil. On Wednesday, 05 April 2017 at 15:52, Kamil Dudka wrote: Please open a system wide change request for F27 for this, as this affects a couple hundred of packages, including some on the critical path. https://fedoraproject.org/wiki/Changes/Policy#Complex_system_wide_changes This is a good move to reduce the dependencies in my opinion, but as seen elsewhere in this thread, it needs to be thoroughly tested. Regards, Dominik -- Fedora http://fedoraproject.org/wiki/User:Rathann RPMFusion http://rpmfusion.org "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

On Thu, Apr 06, 2017 at 05:50:16PM +0200, Miroslav Lichvar wrote: I don't think that's necessarily a great predictor of future results. However, going from two different things to just one will _definitely_ result in fewer future CVES which impact the base. There is this: https://www.openssl.org/blog/blog/2017/03/22/license/ -- Matthew Miller <mattdm(a)fedoraproject.org&gt; Fedora Project Leader

On Thu, 2017-04-06 at 12:57 -0400, Stephen Gallagher wrote: Which doesn't really help as they're moving to a different but still GPL-incompatible licence. Grr :) That would seem to resolve it, sure :)

I would like to make you aware that the certificate validation of openssl isn't as complete as in NSS. For example, NSS is able to handle the blacklisted/distrusted CAs, which have been published by Mozilla, and are being made available as part of the ca- certificates package, while I believe openssl isn't. In addition, a few CA distrust mechanisms have been implemented at the NSS code level, and no equivalent mechanisms are currently being implemented at the openssl level [1]. As a consequence of the switch to openssl, software that currently uses libcurl would lose these additional trust checks when doing certificate validation for SSL/TLS connections. Kai [1] https://wiki.mozilla.org/CA:Root_Store_Trust_Mods

On Thu, 2017-04-06 at 09:29 -0700, Adam Williamson wrote: The ca-certificates package indeed produces two versions of the PEM format files, one as a simple list of CAs, and another version that uses the BEGIN TRUSTED CERTIFICATE file format, which includes the distrust flags. A couple of year ago, I had filed a bug to request that the openssl library default is switched to make use of this advanced format: https://bugzilla.redhat.com/show_bug.cgi?id=873373 However, that bug is still in NEW state, so I guess it depends on the individual applications, if they use the list that includes distrust information. Which one is libcurl using? Even if you switch that to the distrust list, you still don't get the partial distrust, which may be implemented at the NSS code level (such as date based distrust for StartCom/WoSign roots, and the domain constraints for some CA). Kai

On Fri, 2017-04-07 at 10:38 +0200, Kamil Dudka wrote: This file doesn't contain the distrust flags. The correct file would be /etc/pki/tls/certs/ca-bundle.trust.crt I currently don't know of a public test site that uses a blacklisted certificate. As long as libcurl/openssl doesn't load the right file, we don't need to test. When you're able to switch openssl to use the correct one, I can help to create a test for that. The intention was to say, that additional distrust rules might get implemented at the NSS code level in the future. NSS does implement them, see the places where the wiki page mentions NSS: https://wiki.mozilla.org/CA:Root_Store_Trust_Mods Kai

On Fri, 2017-04-07 at 11:54 +0200, Kamil Dudka wrote: Why do you mentioned a need to fix curl-nss? The regular approach for NSS applications is to load the NSS libnssckbi.so (now the drop-in replacement p11-kit-trust.so), which provides all trust and distrust information in a format that NSS can handle. How does curl-nss load the CA trust list? If curl-nss doesn't load libnssckbi.so/p11-kit-trust.so but rather loads a simple PEM file, then today's curl-nss doesn't use distrust information. Kai

On Friday, April 07, 2017 13:45:48 Kamil Dudka wrote: Sorry. Copy-paste error. I meant /etc/pki/tls/certs/ca-bundle.crt of course. Kamil > > If curl-nss doesn't load libnssckbi.so/p11-kit-trust.so but rather loads a > > simple PEM file, then today's curl-nss doesn't use distrust information. > > Exactly. It sounds like there is still some room for improvement. > > Kamil > > > Kai

On Friday, April 07, 2017 18:46:33 Kai Engert wrote: Thanks! I can confirm it works as expected if I load p11-kit-trust.so instead of using nss-pem to load the CA bundle from file. However, it might be not so easy to switch curl to use it because the trust is global. If we make libcurl load/unload the whole module per connection, it will hardly work as expected in case we run multiple handshakes in parallel. Anyway, I guess we should move this discussion to some curl- or nss-related channel... Kamil > Kai

On 04/10/2017 03:52 PM, Kai Engert wrote: I think OpenSSL is committed to fix their library initialization issues. This would mean that the application is free to use OpenSSL in any way it sees fit, while using libcurl at the same time. My understanding is that this is not the case with NSS. libcurl's use of NSS and what the application does with NSS would be tightly coupled if libcurl uses NSS. Sometimes, this is desirable, but often, it is not. Thanks, Florian

On Thursday, April 13, 2017 10:45:13 David Woodhouse wrote: It was not my decision to be honest. Nevertheless, one objective reason could be that libcurl already loads OpenSSL libraries transitively as a dependency of libssh2. So after switching libcurl to OpenSSL, only one crypto library will be sufficient for curl at run time. Kamil

On Mon, Apr 10, 2017 at 03:52:32PM +0200, Kai Engert wrote: Space saving is nice, but that's not the real issue. It's a given that all security libraries will have critical and urgent vulnerabilities sometime in the future. By reducing the number of libraries in use in the base system, we reduce the surface area. This is particularly important where we have cascading artifacts built on a base — if the bottom changes, there's a lot of churn. -- Matthew Miller <mattdm(a)fedoraproject.org&gt; Fedora Project Leader