From Fedora Project Wiki
(→‎Scope: update per
Line 79: Line 79:
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- Select proper category, default is Self Contained Change -->
<!-- [[Category:SystemWideChange]] -->

Revision as of 14:40, 6 April 2017

Switch libcurl back to OpenSSL


libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.


  • Name: Kamil Dudka
  • Email:
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-04-06
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

In order to make even smaller Fedora base images, it was proposed to switch libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now deprecated and libcurl is the only package that pulls NSS as its dependency into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we could create Fedora base image that contains fewer crypto libraries inside.

Benefit to Fedora

Smaller base image, fewer cpryto libraries inside.


  • Proposal owners: kdudka (will push the following patch: and rebuild curl)
  • Other developers: psabata, ignatenko, sgallagh (will help to resolve possible breakages caused by the patch)
  • Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept).
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • Firefox certificate database can no longer be used by (lib)curl-based applications.
  • Existing certificate databases need to be dumped to files to be used by (lib)curl.

How To Test

All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested. No special HW is needed, assuming that OpenSSL itself is tested.

User Experience

See Upgrade/compatibility impact above.


dnf, librepo, systemd, git, etc.

Contingency Plan

  • Contingency mechanism: switch libcurl back to NSS
  • Contingency deadline: Fedora 27 Alpha freeze
  • Blocks release? No.
  • Blocks product? No.


Downstream only change. Upstream supports both the libraries.

Release Notes