TLS: drop support for TLS-SRP#21965
Open
bagder wants to merge 1 commit into
Open
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
f8045bb to
f81e3ed
Compare
vszakats
reviewed
Jun 11, 2026
vszakats
reviewed
Jun 11, 2026
bagder
added a commit
that referenced
this pull request
Jun 12, 2026
The options will simply do nothing. Closes #21965
7b99998 to
a0d252d
Compare
There was a problem hiding this comment.
Pull request overview
This PR removes TLS-SRP support across libcurl, the curl tool, build systems, and the test harness, while keeping the related public options/symbols present but deprecated as of 8.22.0.
Changes:
- Remove TLS-SRP implementation paths from TLS backends (OpenSSL/GnuTLS) and TLS session cache/config handling.
- Remove TLS-SRP feature detection/reporting and build-time toggles (autotools/CMake), plus associated test servers and test cases.
- Deprecate the TLS-SRP-related libcurl options and curl command line flags, and update documentation accordingly.
Reviewed changes
Copilot reviewed 63 out of 63 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/unit3304.c | Removes SRP-specific wording from TLS session-cache unit test comments. |
| tests/test1177.pl | Adjusts feature-name verification logic (currently fakes TLS-SRP presence). |
| tests/test1165.pl | Updates CMake symbol scan to stop exempting CURL_DISABLE_SRP. |
| tests/servers.pm | Removes httptls(+srp) server support and related verification/startup logic. |
| tests/serverhelp.pm | Removes httptls protocol parsing/validation support. |
| tests/runtests.pl | Removes TLS-SRP feature detection and httptls server auto-enable logic. |
| tests/data/test320 | Removes TLS-SRP test case. |
| tests/data/test321 | Removes TLS-SRP test case. |
| tests/data/test322 | Removes TLS-SRP test case. |
| tests/data/test323 | Removes TLS-SRP test case. |
| tests/data/test324 | Removes TLS-SRP test case. |
| tests/data/Makefile.am | Drops TLS-SRP tests and data320.html from distribution lists. |
| tests/data/DISABLED | Removes disabled-test entry/comment specific to TLS-SRP test 323. |
| tests/data/data320.html | Removes TLS-SRP test HTML payload. |
| tests/certs/srp-verifier-db | Removes SRP verifier DB test asset. |
| tests/certs/srp-verifier-conf | Removes SRP verifier config test asset. |
| tests/certs/Makefile.inc | Removes SRPFILES definition. |
| tests/certs/Makefile.am | Stops distributing SRPFILES. |
| src/tool_libinfo.h | Removes feature_tls_srp declaration. |
| src/tool_libinfo.c | Removes TLS-SRP feature table entry and state variable. |
| src/tool_getparam.c | Marks tls* and proxy-tls* options deprecated and removes their config handling. |
| src/tool_cfgable.h | Removes SRP-related fields from OperationConfig. |
| src/tool_cfgable.c | Removes freeing of SRP-related OperationConfig fields. |
| src/config2setopts.c | Removes SRP option-to-setopt translation helper and callsite. |
| scripts/spacecheck.pl | Stops whitelisting srp-verifier-* files (now removed). |
| m4/curl-openssl.m4 | Removes OpenSSL SRP support check and HAVE_OPENSSL_SRP define. |
| m4/curl-gnutls.m4 | Removes GnuTLS SRP support check and HAVE_GNUTLS_SRP define. |
| lib/vtls/vtls_scache.c | Removes SRP credentials from session-cache peer identity/matching. |
| lib/vtls/vtls_config.h | Removes SRP username/password from ssl_primary_config. |
| lib/vtls/vtls_config.c | Removes SRP fields from clone/match/complete/cleanup logic. |
| lib/vtls/openssl.c | Removes OpenSSL TLS-SRP configuration path. |
| lib/vtls/gtls.h | Removes GnuTLS SRP credential fields/defines. |
| lib/vtls/gtls.c | Removes GnuTLS SRP priority/credential setup and SRP cert-verify exception. |
| lib/version.c | Removes TLS-SRP from reported features list. |
| lib/urldata.h | Removes TLSAUTH dupstring slots (TLSAUTH username/password). |
| lib/setopt.c | Makes TLSAUTH options return CURLE_NOT_BUILT_IN (“gone”). |
| lib/curl_setup.h | Removes mention of SSL_CTX_set_srp_* from deprecation suppression comment. |
| lib/curl_config-cmake.h.in | Removes USE_TLS_SRP/HAVE_*_SRP cmake defines. |
| include/curl/curl.h | Marks TLSAUTH and PROXY_TLSAUTH options deprecated (8.22.0). |
| docs/tests/FILEFORMAT.md | Removes httptls+srp server names from test-file server list. |
| docs/libcurl/symbols-in-versions | Marks TLS-SRP-related symbols as ending in 8.22.0. |
| docs/libcurl/opts/CURLOPT_TLSAUTH_USERNAME.md | Adds deprecation notice. |
| docs/libcurl/opts/CURLOPT_TLSAUTH_TYPE.md | Adds deprecation notice. |
| docs/libcurl/opts/CURLOPT_TLSAUTH_PASSWORD.md | Adds deprecation notice. |
| docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.md | Adds deprecation notice. |
| docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.md | Adds deprecation notice. |
| docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.md | Adds deprecation notice. |
| docs/libcurl/curl_easy_ssls_export.md | Removes SRP mention from non-exportable session note. |
| docs/libcurl/curl_easy_setopt.md | Marks TLSAUTH proxy/non-proxy options as deprecated. |
| docs/internals/TLS-SESSIONS.md | Removes SRP references from session-cache documentation. |
| docs/INSTALL.md | Removes --disable-tls-srp entry. |
| docs/INSTALL-CMAKE.md | Removes CURL_DISABLE_SRP / HAVE_*_SRP mentions. |
| docs/DEPRECATE.md | Replaces planned TLS-SRP removal note with “removed in 8.22.0” list entry. |
| docs/cmdline-opts/version.md | Removes TLS-SRP feature section. |
| docs/cmdline-opts/tlsuser.md | Adds “deprecated/no functionality” note. |
| docs/cmdline-opts/tlspassword.md | Adds “deprecated/no functionality” note. |
| docs/cmdline-opts/tlsauthtype.md | Adds “deprecated/no functionality” note. |
| docs/cmdline-opts/proxy-tlsuser.md | Adds “deprecated/no functionality” note. |
| docs/cmdline-opts/proxy-tlspassword.md | Adds “deprecated/no functionality” note. |
| docs/cmdline-opts/proxy-tlsauthtype.md | Adds “deprecated/no functionality” note. |
| docs/CIPHERS.md | Removes TLSAUTH_USERNAME/SRP from priority-string discussion. |
| configure.ac | Removes --enable/--disable-tls-srp and TLS-SRP feature reporting. |
| CMakeLists.txt | Removes CURL_DISABLE_SRP/HAVE_*_SRP detection and USE_TLS_SRP feature add. |
Comments suppressed due to low confidence (6)
docs/cmdline-opts/tlsauthtype.md:25
- After the new deprecation notice, the text still describes how to use TLS-SRP (
SRPdefaulting, requires libcurl built with TLS-SRP). Since the option is now non-functional, that guidance is misleading.
Rewrite this section to clearly state the option is ignored and kept only for command line compatibility.
Set TLS authentication type. Currently, the only supported option is `SRP`,
for TLS-SRP (RFC 5054). If --tlsuser and --tlspassword are specified but
--tlsauthtype is not, then this option defaults to `SRP`. This option works
only if the underlying libcurl is built with TLS-SRP support, which requires
OpenSSL or GnuTLS with TLS-SRP support.
docs/cmdline-opts/proxy-tlsauthtype.md:25
- After the added deprecation note, the page still claims this option sets TLS-SRP auth type and works only if libcurl is built with TLS-SRP. Since it has no functionality in 8.22.0+, that guidance is misleading.
Consider replacing this section with a short note that the option is ignored and kept only for compatibility.
Set TLS authentication type with HTTPS proxy. The only supported option is
`SRP`, for TLS-SRP (RFC 5054). This option works only if the underlying
libcurl is built with TLS-SRP support.
docs/cmdline-opts/tlsuser.md:25
- This page now says the option has no functionality since 8.22.0, but the remaining text still documents how to use it (and mentions TLS 1.3 limitations). That’s contradictory.
Replace the usage text with a clear statement that the option is ignored and kept only for compatibility.
Set username for use with the TLS authentication method specified with
--tlsauthtype. Requires that --tlspassword also is set.
This option does not work with TLS 1.3.
docs/cmdline-opts/tlspassword.md:25
- This page now states the option has no functionality since 8.22.0, but it still describes how to set the password and mentions TLS 1.3 limitations. That’s contradictory for users.
Replace the usage text with a clear statement that the option is ignored and kept only for compatibility.
Set password to use with the TLS authentication method specified with
--tlsauthtype. Requires that --tlsuser is set.
This option does not work with TLS 1.3.
docs/cmdline-opts/proxy-tlsuser.md:25
- This page now says the option has no functionality since 8.22.0, but it still documents how to use it and mentions TLS 1.3 behavior. That’s contradictory.
Replace the usage text with a short note that the option is ignored and kept only for compatibility.
Set username for use for HTTPS proxy with the TLS authentication method
specified with --proxy-tlsauthtype. Requires that --proxy-tlspassword also is
set.
This option does not work with TLS 1.3.
docs/cmdline-opts/proxy-tlspassword.md:25
- This page now says the option has no functionality since 8.22.0, but it still describes how to set a proxy TLS-SRP password and mentions TLS 1.3 limitations. That’s contradictory.
Replace the usage text with a clear statement that the option is ignored and kept only for compatibility.
Set password to use with the TLS authentication method specified with
--proxy-tlsauthtype when using HTTPS proxy. Requires that --proxy-tlsuser is
set.
This option does not work with TLS 1.3.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The options will simply do nothing. Closes #21965
02a2609 to
e53e949
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The options will simply do nothing starting in 8.22.0