Skip to content

Re-introduce source-built libcurl with BoringSSL on Linux #1860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Re-introduce source-built libcurl with BoringSSL on Linux #1860

wants to merge 8 commits into from

Conversation

@bc-lee
Copy link

@bc-lee bc-lee commented Nov 19, 2025
edited
Loading

Motivation

Relying on the system libcurl and OpenSSL on Linux is brittle and can lead to subtle breakages across different distributions and versions.
By switching to a source-built libcurl with BoringSSL on Linux and other Unix-like platforms (excluding macOS), we gain a consistent, controlled, and more secure environment with a reduced attack surface.

Changes

  • Add cmake/FindBoringSSL.cmake to fetch, patch, and build BoringSSL using a pinned URL and SHA.
  • Add cmake/FindOpenSSL.cmake to map BoringSSL’s ssl/crypto targets to OpenSSL::SSL/OpenSSL::Crypto on Unix and to populate curl’s feature checks appropriately.
  • Update cmake/FindLibCURL.cmake to keep VCPKG_DEPENDENCY_EXTERNAL_LIBCURL disabled by default on all platforms, making the embedded libcurl the default for official builds.
  • Harden the embedded libcurl configuration by disabling unused protocols and high-surface features, keeping it focused on HTTP(S) and FTP
  • Add CI validation for Linux builds to ensure that vcpkg binaries do not link against system libcurl/OpenSSL (libcurl.so, libssl.so, libcrypto.so).
  • Remove redundant libcurl4-openssl-dev installation from GitHub Actions workflows and Azure Pipelines Dockerfiles now that the build no longer relies on system libcurl.

@bc-lee
Revert "Revert libcurl. (microsoft#1856)"
6ca5600 
This reverts commit da1f056.
@bc-lee
Add BoringSSL and use it on Linux with source-built libcurl
691ca81 
To avoid issues caused by linking against the system-provided libcurl
on Linux, always use a source-built libcurl.
As part of this change, add BoringSSL as the SSL backend for libcurl
and use it on Linux (and other Unix-like systems except macOS).
Linking static libcurl with either static or system OpenSSL
is neither secure nor reliable across diverse Linux distributions.
@bc-lee
Disable unused protocols and features in embedded libcurl for vcpkg
eb9fbe2 
To reduce the size and attack surface of the embedded libcurl used
in vcpkg, disable unused protocols and features.
@bc-lee
Add validation for vcpkg Linux binary dependencies in CI workflow
849c8d7 
This aims to enhance security and reliability in the build process.
@bc-lee
Remove redundant libcurl4-openssl-dev installation commands
d136ad1
@bc-lee
Restrict BoringSSL package search to non-Apple UNIX systems
80aacb9
@bc-lee
Add system SSL root certificate configuration for curl on Linux
bab3f94 
Since we are not using the system OpenSSL, we need to manually configure
curl to use the system’s SSL root certificates. This is done by setting the
CA file and path based on common locations used by Linux distributions.
@bc-lee
Re-enable FTP support for curl
4bff6a4
BillyONeal
BillyONeal requested changes Nov 19, 2025
View reviewed changes
Copy link
Member

@BillyONeal BillyONeal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not obey system TLS root certificate policy.

@bc-lee
Copy link
Author

bc-lee commented Nov 19, 2025

I added curl_set_system_ssl_root_certs on bab3f94, which on Linux:

  • respects SSL_CERT_FILE / SSL_CERT_DIR, and
  • if unset, locates the distro-managed CA bundle in the usual paths (/etc/ssl/certs/ca-certificates.crt, /etc/pki/tls/certs/ca-bundle.crt, etc.).

This means we rely on the same root store the distro’s TLS stack uses (including their update-ca-certificates / update-ca-trust policy) instead of any private CA list compiled into our non-system OpenSSL. On Windows and macOS we continue to rely on Schannel/SecureTransport’s system stores.

If you have a specific mechanism or location you’d like us to use for “system TLS root certificate policy” on Linux, I will adjust the helper accordingly.

@BillyONeal
Copy link
Member

BillyONeal commented Nov 19, 2025

I believe @vicroms was working on using dlopen/dlsym to talk to curl as @ras0219-msft was looking at a stub library instead.

@bc-lee bc-lee marked this pull request as draft November 25, 2025 02:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BillyONeal BillyONeal BillyONeal requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bc-lee @BillyONeal