On Fri, 14 Feb 2025 16:59:18 +0000 ca...@allfreemail.net wrote: > My understanding, based on the NEWS entry, is that the only reason for this > switch is to enable HTTP/3 support in curl.
Correct, > OpenSSL, as currently packaged in debian unstable, does have HTTP/3 support as > well, which makes the stated rationale for using gnutls over openssl no longer > valid. Since 8.12.1-1, libcurl4t64 is built with OpenSSL's HTTP/3 support, although the curl CLI is still using the GnuTLS libcurl. OpenSSL's support for HTTP/3 is not great, as you can see at https://curl.se/mail/lib-2025-01/0008.html: > The OpenSSL QUIC backend has some distinct drawbacks: > > Upload speed: ngtcp2 is 2-4x faster. > > Memory use: in some tests, OpenSSL uses 25x the amount of memory. And curl still calls its support "experimental". > I would therefore like to ask you to consider switching back to building > against openssl instead of gnutls, just like it is currently done in debian > stable (bookworm). We, the curl maintainers will make a decision on what we want to ship by the soft freeze [0], which is on 2025-04-15. It's still possible to change back to OpenSSL after that date, but it means a serious-enough issue has to be reported. > The main reason for this is that switching to gnutls introduces compatibility > issues with current uses of curl in debian stable, sometimes subtle (different > ordering of TLS parameters leading to different behavior on the server, in > some > cases leading to breakage) I'm not aware of any bugreports about this, can you link them here? > sometimes not so subtle (getting an error when using > the --ciphers option for curl, "Warning: ignoring --ciphers, not supported by > libcurl with GnuTLS/3.8"). This was fixed on 8.13.0~rc2-1. > In the interest of preserving compatibility with the uses of curl on debian > stable (bookworm) and next debian stable (trixie), curl should again be built > against openssl instead of gnutls, The move to GnuTLS is a decision we don't take lightly, I am acknowledging the risk of unseen regressions, especially behavior issues which are not bugs per-se. It should be made clear that this change only affects the curl CLI, no changes were done to the libcurl packages, so dependencies are still free to choose which TLS backend to use. We have been providing the GnuTLS curl CLI in stable-backports, testing and unstable since July-2024 (~8 months ago), and so far we have been able to resolve all issues reported. The best arguments to switch back to OpenSSL will be in the form of bug reports, so please help us test it and report any issues (even if it's a behavior change that can break your use case). > or alternatively another good reason should> be provided for building against > gnutls (because the http/3 point is now moot). Check my comment above about OpenSSL's HTTP/3 support and performance, this is not a valid argument due to that. [0] https://release.debian.org/trixie/freeze_policy.html Cheers, -- Samuel Henrique <samueloph>
