Skip to content

Remove vendored OpenSSL in favor of platform-native TLS #2840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AndyBodnar wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Remove vendored OpenSSL in favor of platform-native TLS #2840

AndyBodnar wants to merge 2 commits into from
+18 −15

Conversation

@AndyBodnar
Copy link

@AndyBodnar AndyBodnar commented Jan 10, 2026
edited
Loading

Summary

This PR removes the vendor-openssl feature and switches to platform-native TLS implementations:

  • Windows: Uses WinHTTP/Schannel (built-in, no additional setup needed)
  • macOS: Uses SecureTransport (built-in, no additional setup needed)
  • Linux: Uses system OpenSSL (requires libssl-dev or equivalent package)

Changes

  • Removed vendor-openssl feature from Cargo.toml and asyncgit/Cargo.toml
  • Removed openssl-sys dependency with vendored feature
  • Updated README.md build requirements to reflect the new TLS setup
  • Added comments explaining the platform-native TLS approach

Benefits

  • Eliminates the need to bundle OpenSSL with binaries
  • Reduces compilation complexity on Windows and macOS
  • Uses better-maintained platform security libraries where available
  • Linux users can use their system's OpenSSL which is typically already installed

Test plan

  • Verify build succeeds on Windows (uses WinHTTP)
  • Verify build succeeds on macOS (uses SecureTransport)
  • Verify build succeeds on Linux with system OpenSSL
  • Test HTTPS clone/push/fetch operations work correctly

Closes #2004

@AndyBodnar
Remove vendored OpenSSL in favor of platform-native TLS
4eef238 
Switch to using platform-native TLS implementations:
- Windows: WinHTTP/Schannel (built-in)
- macOS: SecureTransport (built-in)
- Linux: System OpenSSL (via package manager)

This removes the vendor-openssl feature and the openssl-sys dependency,
eliminating the need to bundle OpenSSL with the binary. Users on Windows
and macOS get TLS support out of the box, while Linux users need to have
OpenSSL development libraries installed (which is common on most systems).

Closes gitui-org#2004
@AndyBodnar AndyBodnar force-pushed the feature/replace-openssl-rustls branch from d6e98c0 to 4eef238 Compare January 10, 2026 19:47
@AndyBodnar AndyBodnar changed the title feat: replace openssl with rustls for TLS support Remove vendored OpenSSL in favor of platform-native TLS Jan 10, 2026
extrawurst
extrawurst reviewed Jan 10, 2026
View reviewed changes
asyncgit/Cargo.toml
"status",
] }
log = "0.4"
# git2 = { path = "../../extern/git2-rs", features = ["vendored-openssl"]}
Copy link
Collaborator

@extrawurst extrawurst Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please only remove the relevant parts and leave the others

extrawurst
extrawurst reviewed Jan 10, 2026
View reviewed changes
asyncgit/Cargo.toml Outdated
dirs = "6.0"
easy-cast = "0.5"
fuzzy-matcher = "0.3"
# TLS is provided by platform-native libraries:
Copy link
Collaborator

@extrawurst extrawurst Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is misplaced. lets remove and make sure all context is given in the readme section you edited

@AndyBodnar
Address review feedback: restore vendor-openssl for cross-compilation
fc6c439 
- Remove TLS comment from asyncgit/Cargo.toml (context is in README)
- Restore commented git2 lines that were unrelated to OpenSSL changes
- Restore vendor-openssl feature for cross-compilation targets
- Update Makefile to use vendor-openssl for musl, ARM, and Apple x86 builds

The vendor-openssl feature is no longer in defaults, allowing native TLS
on standard builds while still supporting vendored OpenSSL for
cross-compilation where system libraries aren't available.
@AndyBodnar
Copy link
Author

AndyBodnar commented Jan 11, 2026
edited
Loading

@extrawurst , addressed both points in the latest commit. reverted the asyncgit/Cargo.toml changes entirely so theres no modifications to that file anymore. the TLS explanation is only in the README now and i left the unrelated commented lines alone.

the approach now is simpler: just remove vendor-openssl from defaults but keep it available for cross-compilation via the Makefile targets.

looks like CI hasnt triggered yet, might need approval to run?

@AndyBodnar
Copy link
Author

AndyBodnar commented Jan 12, 2026

Hey, just checking if you could approve the CI run when you get a chance? Made the changes you requested in the latest commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@extrawurst extrawurst extrawurst left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Using rustls instead of openssl?

2 participants

@AndyBodnar @extrawurst