curl: add Secure Transport (darwinssl) support

[macports-trac-phil@…]

Per ​http://daniel.haxx.se/blog/2012/06/28/darwin-native-ssl-for-curl/ the curl project has supported using Apple's native Secure Transport facility for SSL since 7.27.0; we're currently on 7.29.0.

With Secure Transport, the system keychain is used for trust anchors; this is sufficient benefit that I think it worth supporting a third SSL-related build variant.

"This ninth supported SSL library is now called ‘darwinssl’ in the curl code base." -- on this basis, I called the variant in the attached patch "darwinssl"; this is my first upstream contribution for MacPorts and I'm not aware of how to constrain this option to be available only on darwin, given that the port declares it is also appropriate for FreeBSD. I'm using curl built this way now.

% port installed curl
The following ports are currently installed:
  curl @7.29.0_0+ares+darwinssl (active)
  curl @7.29.0_0+ares+sftp_scp+ssl
% curl --version
curl 7.29.0 (x86_64-apple-darwin12.2.1) libcurl/7.29.0 SecureTransport zlib/1.2.7 c-ares/1.7.5 libidn/1.26
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz 

I can retrieve content from a site using a cert for a local CA that is installed in the keychains.

[macports-trac-phil@…]

patch for curl Portfile to add darwinssl

[larryv (Lawrence Velázquez)]

Thanks for the ticket. In the future, please Cc relevant port maintainers and use WikiFormatting.

[macports-trac-phil@…]

Sure thing, sorry. Couldn't see how to change the existing text to fix to use formatting myself as a post-edit, and assumed that since trac asked for the portname, it would look up the relevant CCs automatically and fill it in. I know better now. :)

Thanks for cleaning up after me!

[larryv (Lawrence Velázquez)]

Replying to macports-trac-phil@…:

Sure thing, sorry. Couldn't see how to change the existing text to fix to use formatting myself as a post-edit

I don’t think you can edit after the fact, but you can preview the ticket before submitting.

and assumed that since trac asked for the portname, it would look up the relevant CCs automatically and fill it in.

Yeah, that would be nice, but it’s easier to keep fixing tickets manually than to write a Trac plugin for that >.<

[ryandesign (Ryan Carsten Schmidt)]

Replying to macports-trac-phil@…:

"This ninth supported SSL library is now called ‘darwinssl’ in the curl code base."

Thanks, I wasn't aware of this option.

Note that the word "conflicts" should appear only once in the variant declaration, e.g. variant darwinssl conflicts ssl gnutls ...

Is there any downside to darwinssl vs the existing ssl and gnutls options? The upside is that it does not have a dependency on another library, so if there is no downside, I might even consider making this the default variant on darwin. Though perhaps we should have it just be optional for awhile to see how it goes.

[macports-trac-phil@…]

Changing will no longer use any OpenSSL or GnuTLS certificate stores, so existing setups may break if folks haven't merged certs into the Keychain too?

I suspect that changing the default should wait for MacPorts 2.1.4 so that there can be an email notification of the major changes; curl is embedded pretty deeply into many things, as core infrastructure. But then, I'm conservative in these things.

The debug output from libcurl is less informative. Most people won't care. Examples of the differing outputs below (second example is from a non-Mac host). Cipher selection will vary, as might be expected. Oh, bonus, darwinssl actually tells you the TLS protocol used.

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: sks.spodhuis.org
* Server certificate: GlobNIX Certificate Authority 3

vs

* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* SSL connection using ECDHE-RSA-AES128-SHA256
* Server certificate:
* 	 subject: C=NL; ST=Noord Holland; O=GlobNIX Systems; CN=sks.spodhuis.org; emailAddress=keyserver@spodhuis.org
* 	 start date: 2011-08-10 04:59:54 GMT
* 	 expire date: 2013-05-01 04:59:54 GMT
* 	 subjectAltName: sks.spodhuis.org matched
* 	 issuer: C=US; O=GlobNIX Systems; OU=Certification Authority; CN=GlobNIX Certificate Authority 3; emailAddress=certificates@globnix.org
* 	 SSL certificate verify ok.

[ryandesign (Ryan Carsten Schmidt)]

Replying to macports-trac-phil@…:

I suspect that changing the default should wait for MacPorts 2.1.4 so that there can be an email notification of the major changes; curl is embedded pretty deeply into many things, as core infrastructure. But then, I'm conservative in these things.

Changes to individual ports are not part of the MacPorts base release notes. Port changes are not tied to the MacPorts base release schedule.

But I suppose I should be conservative too. I'll just add the variant and let users use it if they want to. It's not like eliminating the openssl dependency would accomplish much; curl is already distributable, and tons of other ports already require openssl so the user is likely to have it installed anyway.

[larryv (Lawrence Velázquez)]

Replying to macports-trac-phil@…:

Changing will no longer use any OpenSSL or GnuTLS certificate stores, so existing setups may break if folks haven't merged certs into the Keychain too?

Wouldn't existing setups already have +ssl or +gnutls selected (unless -ssl was explicitly used)? Changing the default variant shouldn't affect them.

[cooljeanius (Eric Gallager)]

Replying to macports-trac-phil@…:

Sure thing, sorry. Couldn't see how to change the existing text to fix to use formatting myself as a post-edit, and assumed that since trac asked for the portname, it would look up the relevant CCs automatically and fill it in. I know better now. :)

Thanks for cleaning up after me!

This is related to ticket #38095 btw

[cooljeanius (Eric Gallager)]

Cc Me!

[john@…]

Cc Me!

[ryandesign (Ryan Carsten Schmidt)]

r154173