When you install curl using the default package manager in Linux distributions like Debian, it typically comes pre-compiled with OpenSSL as the TLS backend. Because almost every curl distributor/packager builds Curl with OpenSSL backend. Changing to a different TLS backend isn't as straightforward as simply selecting a different option, but it is possible . In this Step-by-Step tutorial, we will see how to install curl with GnuTLS backend in Debian.
Before getting into the topic, let me give a you brief introduction to the TLS backend and the list of supported TLS backends by Curl.
Table of Contents
What is a TLS backend?
When you compile curl from source, it needs a way to handle secure connections (HTTPS). This is done through a TLS backend. TLS (Transport Layer Security) is essential for secure communication over networks.
Curl supports multiple TLS libraries or backends. Here's the list of supported backends:
1. AmiSSL
AmiSSL is an SSL/TLS implementation for AmigaOS systems. It's not commonly used unless you're developing for Amiga platforms. To compile Curl with AmiSSL, you can use --with-amissl
option.
2. BearSSL
BearSSL is a smaller, more focused SSL/TLS library. It's designed to be lightweight and suitable for embedded systems. To install Curl with BearSSL, use --with-bearssl
option.
3. GnuTLS
GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. It's a popular open-source alternative to OpenSSL. To install Curl with GnuTLS, you can use --with-gnutls
option.
4. Mbed TLS
Mbed TLS (formerly known as PolarSSL) is an open source, portable, easy to use, readable and flexible SSL library. It's often used in embedded systems and IoT devices. To install Curl with Mbed TLS, use --with-mbedtls
.
5. OpenSSL
OpenSSL is one of the most widely used TLS libraries. This option also works for BoringSSL (Google's fork of OpenSSL) and LibreSSL (OpenBSD's fork of OpenSSL). You can use --with-openssl
to install Curl with OpenSSL.
6. Rustls
Rustls is a modern TLS library written in Rust. It aims to provide a safer and more efficient implementation. To install Curl with Rustls, use --with-rustls
.
7. Schannel
Schannel is the Security Support Provider (SSP) for Windows operating systems. It's used when building curl for Windows platforms. To install Curl with Schannel, use --with-schannel
.
8. Secure Transport
Secure Transport is Apple's TLS implementation. This option is used when building curl for macOS or iOS. We can install Curl with Secure Transport backend using --with-secure-transport
option.
9. wolfSSL
wolfSSL (formerly CyaSSL) is a lightweight, portable, C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments. To install Curl with wolfSSL, use --with-wolfssl
.
Choosing the Right TLS Backend
- OpenSSL (
--with-openssl
): This is typically the most common and widely supported choice. It provides a robust feature set and is well-tested in various environments. - GnuTLS (
--with-gnutls
): Another solid choice, especially if you prefer to avoid OpenSSL due to its license or other considerations. GnuTLS is known for its focus on security and is used by many Linux distributions. - Other Backends: Choose these if you have specific requirements or preferences based on platform compatibility, licensing, or performance considerations.
Example Usage
To compile curl
with a specific TLS backend, you would typically use the ./configure
script with the appropriate --with-<backend>
option. For example:
./configure --with-openssl
This command configures curl
to use OpenSSL as the TLS backend. Replace openssl
with your preferred backend option from the list above.
Install Curl from Source with GnuTLS using GNU Stow
Debian actually provides two versions of libcurl: one built with OpenSSL and another with GnuTLS. The curl command-line tool usually links against the OpenSSL version by default, but you can use the GnuTLS version instead.
Let us check the Curl version using command in Debian 12:
$ curl -V
Sample Output:
curl 8.8.0 (x86_64-pc-linux-gnu) libcurl/8.8.0 OpenSSL/3.0.13 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4
libidn2/2.3.3 libpsl/0.21.2 libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13
Release-Date: 2024-05-22, security patched: 8.8.0-1~bpo12+1
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3
pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz
NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
As you see in the above above output, my Debian 12 system has latest Curl 8.8.0 with OpenSSL backend.
Now let us see how to compile Curl from source with GnuTLS using GNU Stow. For those wondering, GNU Stow is one of the recommended way to install latest software from source in Debian and other Linux distributions.
1. Prerequisites
Ensure you have the necessary tools and dependencies installed:
sudo apt update sudo apt install build-essential libgnutls28-dev stow
2. Download Latest Curl Tarfile and Extract It
Download the latest Curl from the Curl GitHub Repository:
wget https://github.com/curl/curl/releases/download/curl-8_8_0/curl-8.8.0.tar.gz
Extract the curl source code:
tar -xzvf curl-8.8.0.tar.gz
This command will extract the contents of the tar file in a directory named curl-8.8.0
. Cd into the directory:
cd curl-8.8.0
3. Configure the Build with Prefix
Configure the build to use GnuTLS backend using command:
./configure --with-gnutls --prefix=/usr/local/stow/curl-8.8.0
If the /usr/loca/stow
directory doesn't exist, just create it using command:
sudo mkdir -p /usr/local/stow
Again, rerun the ./configure
command.
4. Compile and Install Curl using Stow
Run the following command to compile and install Curl using GNU Stow
make sudo make install
5. Use stow to create the symlinks
Cd into the /usr/loca/stow
directory and create the necessary symlinks:
cd /usr/local/stow sudo stow curl-8.8.0
6. Verify Curl Installation
Restart your current session and verify that curl is using GnuTLS:
curl --version
You should see GnuTLS as the new TLS backend.
curl 8.8.0 (x86_64-pc-linux-gnu) libcurl/8.8.0 GnuTLS/3.7.9 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3
Release-Date: 2024-05-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smt
p smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSo
ckets zstd
As you see in the above output, Curl is configured with GnuTLS v3.7.9.
Troubleshooting
If you encountered with "Unmet Dependencies" issue while trying to install curl
on your Debian 12 system or the flatpak update command doesn't work after upgrading Curl from backports, refer to the following links:
- Fix "Unmet Dependencies" Error When Installing Curl In Debian 12
- Flatpak Update Fails After Upgrading Curl To 8.10 In Debian
Conclusion
In this Step-by-Step tutorial, we discussed the list of available TLS backends and howto install Curl with GnuTLS backend from source using GNU Stow in Debian and its derivatives.
If you're not aware already, Debian's Curl is about to get HTTP3 support. For more details, refer the following link:
Related Read: