configure: make the TLS library choice(s) explicit

configure no longer tries to find a TLS library by default, but all
libraries are now equal: the user needs to explicitly ask what TLS
library or libraries to use.

If no TLS library is selected, configure will error out unless
--without-ssl is explicitly used to request a built without TLS (as that
is very rare these days).

Removes: --with-winssl, --with-darwinssl and all --without-* options for
TLS libraries.

Closes #6897

3 files changed, 150 insertions, 148 deletions

diff --git a/configure.ac b/configure.ac
index 5da2ac37c..70762cc9d 100755
--- a/configure.ac
+++ b/configure.ac
@@ -181,6 +181,109 @@ dnl
 INITIAL_LDFLAGS=$LDFLAGS
 INITIAL_LIBS=$LIBS
 
+dnl **********************************************************************
+dnl See which TLS backend(s) that are requested. Just do all the
+dnl TLS AC_ARG_WITH() invokes here and do the checks later
+dnl **********************************************************************
+OPT_SCHANNEL=no
+AC_ARG_WITH(schannel,dnl
+AS_HELP_STRING([--with-schannel],[enable Windows native SSL/TLS]),
+  OPT_SCHANNEL=$withval
+  TLSCHOICE="schannel")
+
+OPT_SECURETRANSPORT=no
+AC_ARG_WITH(secure-transport,dnl
+AS_HELP_STRING([--with-secure-transport],[enable Apple OS native SSL/TLS]),
+  OPT_SECURETRANSPORT=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }Secure-Transport"
+)
+
+OPT_AMISSL=no
+AC_ARG_WITH(amissl,dnl
+AS_HELP_STRING([--with-amissl],[enable Amiga native SSL/TLS (AmiSSL)]),
+  OPT_AMISSL=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }AmiSSL")
+
+OPT_OPENSSL=no
+dnl Default to no CA bundle
+ca="no"
+AC_ARG_WITH(ssl,dnl
+AS_HELP_STRING([--with-ssl=PATH],[old version of --with-openssl])
+AS_HELP_STRING([--without-ssl], [build without any TLS library]),
+  OPT_SSL=$withval
+  OPT_OPENSSL=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }OpenSSL")
+
+AC_ARG_WITH(openssl,dnl
+AS_HELP_STRING([--with-openssl=PATH],[Where to look for OpenSSL, PATH points to the SSL installation (default: /usr/local/ssl); when possible, set the PKG_CONFIG_PATH environment variable instead of using this option]),
+  OPT_OPENSSL=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }OpenSSL")
+
+OPT_GNUTLS=no
+AC_ARG_WITH(gnutls,dnl
+AS_HELP_STRING([--with-gnutls=PATH],[where to look for GnuTLS, PATH points to the installation root]),
+  OPT_GNUTLS=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }GnuTLS")
+
+OPT_MBEDTLS=no
+AC_ARG_WITH(mbedtls,dnl
+AS_HELP_STRING([--with-mbedtls=PATH],[where to look for mbedTLS, PATH points to the installation root]),
+  OPT_MBEDTLS=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }mbedTLS")
+
+OPT_WOLFSSL=no
+AC_ARG_WITH(wolfssl,dnl
+AS_HELP_STRING([--with-wolfssl=PATH],[where to look for WolfSSL, PATH points to the installation root (default: system lib default)]),
+  OPT_WOLFSSL=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }wolfSSL")
+
+OPT_MESALINK=no
+AC_ARG_WITH(mesalink,dnl
+AS_HELP_STRING([--with-mesalink=PATH],[where to look for MesaLink, PATH points to the installation root]),
+  OPT_MESALINK=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }MesaLink")
+
+OPT_BEARSSL=no
+AC_ARG_WITH(bearssl,dnl
+AS_HELP_STRING([--with-bearssl=PATH],[where to look for BearSSL, PATH points to the installation root]),
+  OPT_BEARSSL=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }BearSSL")
+
+OPT_RUSTLS=no
+AC_ARG_WITH(rustls,dnl
+AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to the installation root]),
+  OPT_RUSTLS=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }rustls")
+
+OPT_NSS=no
+AC_ARG_WITH(nss,dnl
+AS_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root]),
+  OPT_NSS=$withval
+  test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS")
+
+dnl If no TLS choice has been made, check if it was explicitly disabled or
+dnl error out to force the user to decide.
+if test -z "$TLSCHOICE"; then
+  if test "x$OPT_SSL" != "xno"; then
+    AC_MSG_ERROR([select TLS backend(s) or disble TLS with --without-ssl.
+
+Select from these:
+
+  --with-amissl
+  --with-bearssl
+  --with-gnutls
+  --with-mbedtls
+  --with-mesalink
+  --with-nss
+  --with-openssl (also works for BoringSSL and libressl)
+  --with-rustls
+  --with-schannel
+  --with-secure-transport
+  --with-wolfssl
+])
+  fi
+fi
+
 dnl
 dnl Detect the canonical host and target build environment
 dnl
@@ -1634,26 +1737,15 @@ dnl -------------------------------------------------
 dnl check winssl option before other SSL libraries
 dnl -------------------------------------------------
 
-OPT_SCHANNEL=no
-AC_ARG_WITH(winssl,dnl
-AS_HELP_STRING([--with-winssl],[enable Windows native SSL/TLS])
-AS_HELP_STRING([--without-winssl], [disable Windows native SSL/TLS]),
-  OPT_SCHANNEL=$withval)
-
-AC_ARG_WITH(schannel,dnl
-AS_HELP_STRING([--with-schannel],[enable Windows native SSL/TLS])
-AS_HELP_STRING([--without-schannel], [disable Windows native SSL/TLS]),
-  OPT_SCHANNEL=$withval)
-
 AC_MSG_CHECKING([whether to enable Windows native SSL/TLS (Windows native builds only)])
-if test -z "$ssl_backends" -o "x$OPT_SCHANNEL" != xno; then
+if test "x$OPT_SCHANNEL" != xno; then
   ssl_msg=
   if test "x$OPT_SCHANNEL" != "xno"  &&
      test "x$curl_cv_native_windows" = "xyes"; then
     AC_MSG_RESULT(yes)
     AC_DEFINE(USE_SCHANNEL, 1, [to enable Windows native SSL/TLS support])
     AC_SUBST(USE_SCHANNEL, [1])
-    ssl_msg="Windows-native"
+    ssl_msg="Schannel"
     test schannel != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
     SCHANNEL_ENABLED=1
     # --with-schannel implies --enable-sspi
@@ -1673,19 +1765,8 @@ if test "x$USE_WIN32_CRYPTO" = "x1" -o "x$USE_SCHANNEL" = "x1"; then
   LIBS="-ladvapi32 -lcrypt32 $LIBS"
 fi
 
-OPT_SECURETRANSPORT=no
-AC_ARG_WITH(darwinssl,dnl
-AS_HELP_STRING([--with-darwinssl],[enable Apple OS native SSL/TLS])
-AS_HELP_STRING([--without-darwinssl], [disable Apple OS native SSL/TLS]),
-  OPT_SECURETRANSPORT=$withval)
-
-AC_ARG_WITH(secure-transport,dnl
-AS_HELP_STRING([--with-secure-transport],[enable Apple OS native SSL/TLS])
-AS_HELP_STRING([--without-secure-transport], [disable Apple OS native SSL/TLS]),
-  OPT_SECURETRANSPORT=$withval)
-
 AC_MSG_CHECKING([whether to enable Secure Transport])
-if test -z "$ssl_backends" -o "x$OPT_SECURETRANSPORT" != xno; then
+if test "x$OPT_SECURETRANSPORT" != xno; then
   if test "x$OPT_SECURETRANSPORT" != "xno" &&
      (test "x$cross_compiling" != "xno" || test -d "/System/Library/Frameworks/Security.framework"); then
     AC_MSG_RESULT(yes)
@@ -1703,15 +1784,9 @@ else
   AC_MSG_RESULT(no)
 fi
 
-OPT_AMISSL=no
-AC_ARG_WITH(amissl,dnl
-AS_HELP_STRING([--with-amissl],[enable Amiga native SSL/TLS (AmiSSL)])
-AS_HELP_STRING([--without-amissl], [disable Amiga native SSL/TLS (AmiSSL)]),
-  OPT_AMISSL=$withval)
-
 AC_MSG_CHECKING([whether to enable Amiga native SSL/TLS (AmiSSL)])
 if test "$HAVE_PROTO_BSDSOCKET_H" = "1"; then
-  if test -z "$ssl_backends" -o "x$OPT_AMISSL" != xno; then
+  if test "x$OPT_AMISSL" != xno; then
     ssl_msg=
     if test "x$OPT_AMISSL" != "xno"; then
       AC_MSG_RESULT(yes)
@@ -1733,25 +1808,10 @@ else
 fi
 
 dnl **********************************************************************
-dnl Check for the presence of SSL libraries and headers
+dnl Check for OpenSSL libraries and headers
 dnl **********************************************************************
 
-dnl Default to compiler & linker defaults for SSL files & libraries.
-OPT_SSL=off
-dnl Default to no CA bundle
-ca="no"
-AC_ARG_WITH(ssl,dnl
-AS_HELP_STRING([--with-ssl=PATH],[old version of --with-openssl])
-AS_HELP_STRING([--without-ssl], [old version of --without-openssl]),
-  OPT_SSL=$withval)
-
-AC_ARG_WITH(openssl,dnl
-AS_HELP_STRING([--with-openssl=PATH],[Where to look for OpenSSL, PATH points to the SSL installation (default: /usr/local/ssl); when possible, set the PKG_CONFIG_PATH environment variable instead of using this option])
-AS_HELP_STRING([--without-openssl], [disable OpenSSL]),
-  OPT_SSL=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
-   test X"$OPT_SSL" != Xno; then
+if test "x$OPT_OPENSSL" != xno; then
   ssl_msg=
 
   dnl backup the pre-ssl variables
@@ -1781,7 +1841,7 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
       ;;
   esac
 
-  case "$OPT_SSL" in
+  case "$OPT_OPENSSL" in
   yes)
     dnl --with-openssl (without path) used
     PKGTEST="yes"
@@ -1796,12 +1856,12 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
   *)
     dnl check the given --with-openssl spot
     PKGTEST="no"
-    PREFIX_OPENSSL=$OPT_SSL
+    PREFIX_OPENSSL=$OPT_OPENSSL
 
     dnl Try pkg-config even when cross-compiling.  Since we
     dnl specify PKG_CONFIG_LIBDIR we're only looking where
     dnl the user told us to look
-    OPENSSL_PCDIR="$OPT_SSL/lib/pkgconfig"
+    OPENSSL_PCDIR="$OPT_OPENSSL/lib/pkgconfig"
     if test -f "$OPENSSL_PCDIR/openssl.pc"; then
       AC_MSG_NOTICE([PKG_CONFIG_LIBDIR will be set to "$OPENSSL_PCDIR"])
       PKGTEST="yes"
@@ -1965,7 +2025,7 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
        LIBS="$CLEANLIBS"
     fi
 
-    if test X"$OPT_SSL" != Xoff &&
+    if test X"$OPT_OPENSSL" != Xoff &&
        test "$OPENSSL_ENABLED" != "1"; then
       AC_MSG_ERROR([OpenSSL libs and/or directories were not found where specified!])
     fi
@@ -2057,10 +2117,9 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
   test -z "$ssl_msg" || ssl_backends="${ssl_backends:+$ssl_backends, }$ssl_msg"
 fi
 
-if test X"$OPT_SSL" != Xoff &&
-  test X"$OPT_SSL" != Xno &&
+if test X"$OPT_OPENSSL" != Xno &&
   test "$OPENSSL_ENABLED" != "1"; then
-  AC_MSG_NOTICE([OPT_SSL: $OPT_SSL])
+  AC_MSG_NOTICE([OPT_OPENSSL: $OPT_OPENSSL])
   AC_MSG_NOTICE([OPENSSL_ENABLED: $OPENSSL_ENABLED])
   AC_MSG_ERROR([--with-openssl was given but OpenSSL could not be detected])
 fi
@@ -2130,15 +2189,7 @@ dnl ----------------------------------------------------
 dnl check for GnuTLS
 dnl ----------------------------------------------------
 
-dnl Default to compiler & linker defaults for GnuTLS files & libraries.
-OPT_GNUTLS=no
-
-AC_ARG_WITH(gnutls,dnl
-AS_HELP_STRING([--with-gnutls=PATH],[where to look for GnuTLS, PATH points to the installation root])
-AS_HELP_STRING([--without-gnutls], [disable GnuTLS detection]),
-  OPT_GNUTLS=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_GNUTLS" != xno; then
+if test "x$OPT_GNUTLS" != xno; then
   ssl_msg=
 
   if test X"$OPT_GNUTLS" != Xno; then
@@ -2279,16 +2330,9 @@ dnl ----------------------------------------------------
 dnl check for mbedTLS
 dnl ----------------------------------------------------
 
-OPT_MBEDTLS=no
-
-_cppflags=$CPPFLAGS
-_ldflags=$LDFLAGS
-AC_ARG_WITH(mbedtls,dnl
-AS_HELP_STRING([--with-mbedtls=PATH],[where to look for mbedTLS, PATH points to the installation root])
-AS_HELP_STRING([--without-mbedtls], [disable mbedTLS detection]),
-  OPT_MBEDTLS=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_MBEDTLS" != xno; then
+if test "x$OPT_MBEDTLS" != xno; then
+  _cppflags=$CPPFLAGS
+  _ldflags=$LDFLAGS
   ssl_msg=
 
   if test X"$OPT_MBEDTLS" != Xno; then
@@ -2371,17 +2415,6 @@ dnl ----------------------------------------------------
 dnl check for wolfSSL
 dnl ----------------------------------------------------
 
-dnl Default to compiler & linker defaults for wolfSSL files & libraries.
-OPT_WOLFSSL=no
-
-_cppflags=$CPPFLAGS
-_ldflags=$LDFLAGS
-
-AC_ARG_WITH(wolfssl,dnl
-AS_HELP_STRING([--with-wolfssl=PATH],[where to look for WolfSSL, PATH points to the installation root (default: system lib default)])
-AS_HELP_STRING([--without-wolfssl], [disable WolfSSL detection]),
-  OPT_WOLFSSL=$withval)
-
 case "$OPT_WOLFSSL" in
   yes|no)
     wolfpkg=""
@@ -2391,7 +2424,10 @@ case "$OPT_WOLFSSL" in
     ;;
 esac
 
-if test -z "$ssl_backends" -o "x$OPT_WOLFSSL" != xno; then
+if test "x$OPT_WOLFSSL" != xno; then
+  _cppflags=$CPPFLAGS
+  _ldflags=$LDFLAGS
+
   ssl_msg=
 
   if test X"$OPT_WOLFSSL" != Xno; then
@@ -2532,17 +2568,9 @@ dnl ----------------------------------------------------
 dnl check for MesaLink
 dnl ----------------------------------------------------
 
-dnl Default to compiler & linker defaults for MesaLink files & libraries.
-OPT_MESALINK=no
-
-_cppflags=$CPPFLAGS
-_ldflags=$LDFLAGS
-AC_ARG_WITH(mesalink,dnl
-AS_HELP_STRING([--with-mesalink=PATH],[where to look for MesaLink, PATH points to the installation root])
-AS_HELP_STRING([--without-mesalink], [disable MesaLink detection]),
-  OPT_MESALINK=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_MESALINK" != xno; then
+if test "x$OPT_MESALINK" != xno; then
+  _cppflags=$CPPFLAGS
+  _ldflags=$LDFLAGS
   ssl_msg=
 
   if test X"$OPT_MESALINK" != Xno; then
@@ -2624,16 +2652,9 @@ dnl ----------------------------------------------------
 dnl check for BearSSL
 dnl ----------------------------------------------------
 
-OPT_BEARSSL=no
-
-_cppflags=$CPPFLAGS
-_ldflags=$LDFLAGS
-AC_ARG_WITH(bearssl,dnl
-AS_HELP_STRING([--with-bearssl=PATH],[where to look for BearSSL, PATH points to the installation root])
-AS_HELP_STRING([--without-bearssl], [disable BearSSL detection]),
-  OPT_BEARSSL=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_BEARSSL" != xno; then
+if test "x$OPT_BEARSSL" != xno; then
+  _cppflags=$CPPFLAGS
+  _ldflags=$LDFLAGS
   ssl_msg=
 
   if test X"$OPT_BEARSSL" != Xno; then
@@ -2716,16 +2737,9 @@ dnl ----------------------------------------------------
 dnl check for rustls
 dnl ----------------------------------------------------
 
-OPT_RUSTLS=no
-
-_cppflags=$CPPFLAGS
-_ldflags=$LDFLAGS
-AC_ARG_WITH(rustls,dnl
-AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to the installation root])
-AS_HELP_STRING([--without-rustls], [disable rustls detection]),
-  OPT_RUSTLS=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_RUSTLS" != xno; then
+if test "x$OPT_RUSTLS" != xno; then
+  _cppflags=$CPPFLAGS
+  _ldflags=$LDFLAGS
   ssl_msg=
 
   if test X"$OPT_RUSTLS" != Xno; then
@@ -2806,15 +2820,7 @@ dnl ----------------------------------------------------
 dnl NSS. Only check if GnuTLS and OpenSSL are not enabled
 dnl ----------------------------------------------------
 
-dnl Default to compiler & linker defaults for NSS files & libraries.
-OPT_NSS=no
-
-AC_ARG_WITH(nss,dnl
-AS_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root])
-AS_HELP_STRING([--without-nss], [disable NSS detection]),
-  OPT_NSS=$withval)
-
-if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then
+if test "x$OPT_NSS" != xno; then
   ssl_msg=
 
   if test X"$OPT_NSS" != Xno; then
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 15daddb8b..30afe81f7 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -30,11 +30,13 @@ proceed.
 A normal Unix installation is made in three or four steps (after you've
 unpacked the source archive):
 
-    ./configure
+    ./configure --with-openssl [--with-gnutls --with-wolfssl]
     make
     make test (optional)
     make install
 
+(Adjust the configure line accordingly to use the TLS library you want.)
+
 You probably need to be root when doing the last command.
 
 Get a full listing of all available configure options by invoking it like:
@@ -73,7 +75,7 @@ Without pkg-config installed, use this:
 If you insist on forcing a build without SSL support, even though you may
 have OpenSSL installed in your system, you can run configure like this:
 
-    ./configure --without-openssl
+    ./configure --without-ssl
 
 If you have OpenSSL installed, but with the libraries in one place and the
 header files somewhere else, you have to set the `LDFLAGS` and `CPPFLAGS`
@@ -109,17 +111,19 @@ want to alter it, you can select how to deal with each individual library.
 
 ## Select TLS backend
 
-The default OpenSSL configure check will also detect and use BoringSSL or
-libressl.
-
- - GnuTLS: `--without-openssl --with-gnutls`.
- - wolfSSL: `--without-openssl --with-wolfssl`
- - NSS: `--without-openssl --with-nss`
- - mbedTLS: `--without-openssl --with-mbedtls`
- - schannel: `--without-openssl --with-schannel`
- - secure transport: `--without-openssl --with-secure-transport`
- - MesaLink: `--without-openssl --with-mesalink`
- - BearSSL: `--without-openssl --with-bearssl`
+These options are provided to select TLS backend to use.
+
+ - AmiSSL: `--with-amissl`
+ - BearSSL: `--with-bearssl`
+ - GnuTLS: `--with-gnutls`.
+ - mbedTLS: `--with-mbedtls`
+ - MesaLink: `--with-mesalink`
+ - NSS: `--with-nss`
+ - OpenSSL: `--with-openssl` (also for BoringSSL and libressl)
+ - rustls: `--with-rustls`
+ - schannel: `--with-schannel`
+ - secure transport: `--with-secure-transport`
+ - wolfSSL: `--with-wolfssl`
 
 # Windows
 
diff --git a/docs/TODO b/docs/TODO
index 04511bb3b..ceabee2d9 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -112,7 +112,6 @@
  13.4 Cache/share OpenSSL contexts
  13.5 Export session ids
  13.6 Provide callback for cert verification
- 13.7 improve configure --with-openssl
  13.8 Support DANE
  13.9 TLS record padding
  13.10 Support Authority Information Access certificate extension (AIA)
@@ -768,13 +767,6 @@
  certificate, but this doesn't seem to be exposed in the libcurl APIs. Could
  it be? There's so much that could be done if it were!
 
-13.7 improve configure --with-openssl
-
- Consider making the configure script not guess which TLS library to use (as
- it makes it harder to purposely select another library than the default).
- Maybe require specific TLS library option(s) or an explicit no-TLS-at-all
- option.
-
 13.8 Support DANE
 
  DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL