curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

RE: Help regarding integrating Libcurl 8.0.1 with OpenSSL 3.0

From: Daniel Stenberg via curl-library <>
Date: Mon, 15 May 2023 09:33:21 +0200 (CEST)

On Mon, 15 May 2023, Priyanka Chauhan4 via curl-library wrote:

> Is there any specific change required to integrate with Openssl 3.0

No. The source code has been adjusted to work with the provided OpenSSL
version all since 0.9.x. The 3.y.z series is no different to us in this
aspect. We also work with the big known OpenSSL forks like libressl,
BoringSSL, quictls and AWS-LC in a similar fashion.

> I see some functions are not there in openssl 3.0 like MD5_Update

First: That is incorrect. MD5_Update and a bunch of other functions are marked
deprecated and they *can* be hidden from the API, but that's not the default
build from what I understand.

libcurl can also use its own MD5 code if needed.

> openssl v3.0 recommended using high level function like EVP_DigestUpdate and
> other changes related to context, some of the functions are now expecting
> context.

> Such changes we have to take care while integrating. Can you confirm ?

I can confirm that they have added functions and marked functions as
deprecated, sure.

curl inhibits the deprecation warnings because it has not adapted the code to
these OpenSSL ideas, so yes at some future point we might need to update our
OpenSSL using code if they actually go ahead and remove functions we rely on.

Everyone is free to go ahead and do it now if they feel inclined. I personally
have trust issues with OpenSSL and their future directions so I figure it is
better for us (me at least) to not do anything ahead of time based on
speculations of where they might end up.

There are plenty of good alternative libs if OpenSSL falls off the road.

> I'm asking this because in future if there is libcurl upgrade, we need to
> make sure of changes according to openssl 3.0

If OpenSSL breaks backwards compatibility in a future release, then yes curl
will need to adapt to that. Like we have always done. OpenSSL 3 is not adding
anything new to this circle of life.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2023-05-15