Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eliminate openssl dependency for consensus bits #769

Closed
Tracked by #785
spoonincode opened this issue Jul 21, 2022 · 6 comments
Closed
Tracked by #785

eliminate openssl dependency for consensus bits #769

spoonincode opened this issue Jul 21, 2022 · 6 comments
Labels
OCI OCI working this issue...

Comments

@spoonincode
Copy link
Member

spoonincode commented Jul 21, 2022

Given what occurred in openssl 3.0.4 I'd like to see us move away from using openssl in consensus bits.

Proposal: use a submoduled-in static linked boringssl for consensus bits; i.e. anything in libchain. I already explored this some previously in EOSIO/eos#9026 and it's a clean drop in replacement likely with low risk of something behaving differently (unlike, say, if we completely rewrote the R1 recovery code with a different library).

Problem: While we want to fix the consensus mathy stuff at a long term version, but we don't want to fix TLS stuff -- that will likely need to be bumped in the future for new TLS versions, security fixes, etc. We can't have two different versions of boringssl or boringssl+openssl linked in the same executable because of symbol conflicts. This causes grief in finding a good solution.

Proposed solution: Abandon openssl altogether. But what do we do about TLS in our applications?

cleos

Reimplement HTTP requests via platform provided high level HTTP APIs. This would mean libcurl on Linux, NSURLSession on macOS, and WinHTTP on Windows. This actually has a number of nice benefits like getting cleos HTTP/2 support, system proxy support, ipv6 happy eyeballs, and not needing to deal with the CA store. The downside of course is that it's more code to maintain and different across platforms.

nodeos & keosd

My preference would be to eliminate TLS support in nodeos & keosd. I suspect usage of the HTTPS server in nodeos is extremely rare (some prominent community members regularly discourage its use, even). Likewise, I suspect connecting nodeos to keosd via TLS is extremely rare.

If we must keep TLS support in nodeos & keosd, perhaps look in to system provided TLS implementations such as GnuTLS and Core Transport.

Need to be mindful of #110 & eosnetworkfoundation/product#13 as they mix in to these decisions too. This effort is likely a blocker for eosnetworkfoundation/product#20.

Explore: Previously, as mentioned in the EOS PR above, boringssl's sha256 performance was rather poor. This is important to us. Performance testing with sha256 & r1 key recovery should be performed on the latest version before getting too far in to this change.

@spoonincode spoonincode added the planning Propose change to milestone in next planning meeting label Jul 21, 2022
@stephenpdeos
Copy link
Member

This issue will close/replace #362

@stephenpdeos
Copy link
Member

@spoonincode can you document the big questions we need to answer before this is actionable?

@spoonincode
Copy link
Member Author

Any performance testing should probably look at making #786

@stephenpdeos
Copy link
Member

stephenpdeos commented Aug 4, 2022

We'll utilize the work done in #786 to benchmark performance impact

@ericpassmore ericpassmore transferred this issue from eosnetworkfoundation/mandel Aug 6, 2022
@ericpassmore ericpassmore transferred this issue from another repository Aug 6, 2022
@spoonincode
Copy link
Member Author

This is much easier to accomplish once #110 is settled.

@stephenpdeos stephenpdeos removed the planning Propose change to milestone in next planning meeting label Aug 25, 2022
@stephenpdeos stephenpdeos added the OCI OCI working this issue... label Oct 13, 2022
@spoonincode
Copy link
Member Author

Tracked in leap repo now

@spoonincode spoonincode closed this as not planned Won't fix, can't repro, duplicate, stale Jan 17, 2023
@github-project-automation github-project-automation bot moved this from Todo to Done in ENF Engineering Jan 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OCI OCI working this issue...
Projects
Status: Done
Development

No branches or pull requests

2 participants