8000 Add docu hint regarding OpenSSL provider support · Issue #16474 · curl/curl · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add docu hint regarding OpenSSL provider support #16474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JustAnotherSwCoderAndTester opened this issue Feb 25, 2025 · 5 comments
Closed

Add docu hint regarding OpenSSL provider support #16474

JustAnotherSwCoderAndTester opened this issue Feb 25, 2025 · 5 comments
Labels
documentation TLS

Comments

@JustAnotherSwCoderAndTester
Copy link

curl has support for OpenSSL engines, which are deprecated starting from OpenSSL 3. Regarding support for OpenSSL providers, I could not find much except on thread on the mailing list: https://curl.se/mail/lib-2021-10/0018.html

Actually, we dropped curl from our project because this meant no TPM 2.0 support (we wanted to move away from the deprecated engine since rest of our tooling works with providers).

Now I realized that curl has implicit TPM support via engines, with the appropriate openssl config file. Specifying key and cert in the curl call allows to use a TPM protected X509 certificate for mTLS. I think it would be worth mentioning this somewhere in the docs. I found a hint by accident in an application note of my TPM manufacturer.

curl --key /path/to/key.tss --cert /path/to/cert.crt https://my-server.com/download/url

Prepending TSS2_LOG=esys+trace allows some TSS tracing messages that verify operation.

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
tpm2privder = tpm2provider_sect

[default_sect]
activate = 1

[tpm2provider_sect]
activate = 1

Note that this should be applicable to any provider.
@Monochrome-debug Monochrome-debug mentioned this issue Feb 26, 2025
Closed
@Monochrome-debug
Copy link

I'm making a pull request for that right now

@JustAnotherSwCoderAndTester
Copy link
Author

Thank you, I will add comments there with info there so that we can improve the docu together. And then we can close this issue here.

@Monochrome-debug
Copy link

By the way, what is the key.tss file and the cert.crt file for?

@bagder
Copy link
Member
bagder commented Apr 28, 2025

Abandoned

@bagder bagder closed this as completed Apr 28, 2025
@JustAnotherSwCoderAndTester
Copy link
Author

Actually, I have addressed your last comments in https://github.com/curl/curl/pull/16679

But if there is now support for providers, closing is fine. I only wonder whether that's enough since you can load a single provider with the PR https://github.com/curl/curl/pull/17165. Providers often require the default provider in addition to work together and some pro query string. The design in the background is very different from engines. So I think mentioning that you can use an OpenSSL config file with a more complex provider config would still be useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation TLS
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @JustAnotherSwCoderAndTester < 2C6B /a> @Monochrome-debug
0