Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): Bump OpenSSL base version to 3.1.* #17669

Merged
merged 11 commits into from
Aug 9, 2023
Merged

chore(deps): Bump OpenSSL base version to 3.1.* #17669

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
80d29ab
chore(deps): Bump OpenSSL base version to 3.0.*
bruceg Jun 12, 2023
8090819
update tag
dsmith3197 Aug 8, 2023
fa99ef1
temporary test fix
dsmith3197 Aug 8, 2023
49fd3ca
fix cross compile
dsmith3197 Aug 8, 2023
0efb5a1
fix cross compile, centos only
dsmith3197 Aug 8, 2023
8417a15
add force-engine feature
dsmith3197 Aug 9, 2023
db5a763
fix fmtting
dsmith3197 Aug 9, 2023
c1460ed
add option for enabling legacy provider
dsmith3197 Aug 9, 2023
fe46dcd
small nit
dsmith3197 Aug 9, 2023
2c10dcd
feedback
dsmith3197 Aug 9, 2023
6718861
add deprecation warn message
dsmith3197 Aug 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 6 additions & 7 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 6 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ nix = { version = "0.26.2", default-features = false, features = ["socket", "sig
[build-dependencies]
prost-build = { version = "0.11", default-features = false, optional = true }
tonic-build = { version = "0.9", default-features = false, features = ["transport", "prost"], optional = true }
openssl-src = { version = "111", default-features = false, features = ["force-engine"] }
openssl-src = { version = "300", default-features = false, features = ["force-engine", "legacy"] }

[dev-dependencies]
approx = "0.5.1"
Expand Down Expand Up @@ -381,6 +381,11 @@ nix = { git = "https://github.com/vectordotdev/nix.git", branch = "memfd/gnu/mus
# The `heim` crates depend on `ntapi` 0.3.7 on Windows, but that version has an
# unaligned access bug fixed in the following revision.
ntapi = { git = "https://github.com/MSxDOS/ntapi.git", rev = "24fc1e47677fc9f6e38e5f154e6011dc9b270da6" }
# The current `openssl-sys` crate will vendor the OpenSSL sources via
# `openssl-src` at version 1.1.1*, but we want version 3.1.*. Bring in forked
# version of that crate with the appropriate dependency patched in.
openssl-sys = { git = "https://github.com/vectordotdev/rust-openssl.git", tag = "openssl-sys-v0.9.91+3.0.0" }
openssl-src = { git = "https://github.com/vectordotdev/openssl-src-rs.git", tag = "release-300-force-engine+3.1.2"}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be removed once a new version of the upstream is published (alexcrichton/openssl-src-rs#205).


[features]
# Default features for *-unknown-linux-gnu and *-apple-darwin
Expand Down
1 change: 1 addition & 0 deletions lib/vector-core/src/tls/settings.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -630,6 +630,7 @@ mod test {

#[test]
fn from_options_pkcs12() {
let _provider = openssl::provider::Provider::try_load(None, "legacy", true).unwrap();
let options = TlsConfig {
crt_file: Some(TEST_PKCS12_PATH.into()),
key_pass: Some("NOPASS".into()),
Expand Down
4 changes: 4 additions & 0 deletions scripts/cross/bootstrap-centos.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,7 @@ set -o errexit

yum install -y unzip centos-release-scl
yum install -y llvm-toolset-7

# needed to compile openssl
yum install -y perl-IPC-Cmd
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💭 thought: ‏ this is an odd new dependency 🤔

Copy link
Contributor

@dsmith3197 dsmith3197 Aug 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed it is, it's required to compile openssl though. I can add a comment to explain.


37 changes: 35 additions & 2 deletions src/app.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ use futures::StreamExt;
#[cfg(feature = "enterprise")]
use futures_util::future::BoxFuture;
use once_cell::race::OnceNonZeroUsize;
use openssl::provider::Provider;
use tokio::{
runtime::{self, Runtime},
sync::mpsc,
Expand Down Expand Up @@ -61,6 +62,7 @@ pub struct Application {
pub require_healthy: Option<bool>,
pub config: ApplicationConfig,
pub signals: SignalPair,
pub openssl_legacy_provider: Option<Provider>,
}

impl ApplicationConfig {
Expand Down Expand Up @@ -186,6 +188,12 @@ impl Application {
opts.root.internal_log_rate_limit,
);

let openssl_legacy_provider = opts
.root
.openssl_legacy_provider
.then(load_openssl_legacy_provider)
.flatten();

let runtime = build_runtime(opts.root.threads, "vector-worker")?;

// Signal handler for OS and provider messages.
Expand All @@ -206,6 +214,7 @@ impl Application {
require_healthy: opts.root.require_healthy,
config,
signals,
openssl_legacy_provider,
},
))
}
Expand All @@ -222,6 +231,7 @@ impl Application {
require_healthy,
config,
signals,
openssl_legacy_provider,
} = self;

let topology_controller = SharedTopologyController::new(TopologyController {
Expand All @@ -239,6 +249,7 @@ impl Application {
graceful_crash_receiver: config.graceful_crash_receiver,
signals,
topology_controller,
openssl_legacy_provider,
})
}
}
Expand All @@ -248,6 +259,7 @@ pub struct StartedApplication {
pub graceful_crash_receiver: mpsc::UnboundedReceiver<()>,
pub signals: SignalPair,
pub topology_controller: SharedTopologyController,
pub openssl_legacy_provider: Option<Provider>,
}

impl StartedApplication {
Expand All @@ -261,6 +273,7 @@ impl StartedApplication {
graceful_crash_receiver,
signals,
topology_controller,
openssl_legacy_provider,
} = self;

let mut graceful_crash = UnboundedReceiverStream::new(graceful_crash_receiver);
Expand Down Expand Up @@ -315,6 +328,7 @@ impl StartedApplication {
signal,
signal_rx,
topology_controller,
openssl_legacy_provider,
}
}
}
Expand All @@ -323,6 +337,7 @@ pub struct FinishedApplication {
pub signal: SignalTo,
pub signal_rx: SignalRx,
pub topology_controller: SharedTopologyController,
pub openssl_legacy_provider: Option<Provider>,
}

impl FinishedApplication {
Expand All @@ -331,6 +346,7 @@ impl FinishedApplication {
signal,
mut signal_rx,
topology_controller,
openssl_legacy_provider,
} = self;

// At this point, we'll have the only reference to the shared topology controller and can
Expand All @@ -340,7 +356,7 @@ impl FinishedApplication {
.expect("fail to unwrap topology controller")
.into_inner();

match signal {
let status = match signal {
SignalTo::Shutdown => {
emit!(VectorStopped);
tokio::select! {
Expand Down Expand Up @@ -382,7 +398,9 @@ impl FinishedApplication {
})
}
_ => unreachable!(),
}
};
drop(openssl_legacy_provider);
status
}
}

Expand Down Expand Up @@ -525,3 +543,18 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64)
);
info!(message = "Log level is enabled.", level = ?level);
}

/// Load the legacy OpenSSL provider.
///
/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it
/// will be unloaded when it is dropped.
pub fn load_openssl_legacy_provider() -> Option<Provider> {
warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use.");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks! I'll plan to amend this in the v0.32.0 release branch to have a pointer to the upgrade guide I'm putting together there to provide users with more details about what this means and how to opt-in.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, let me know if you need any help with the upgrade guide.

Provider::try_load(None, "legacy", true)
.map(|provider| {
info!(message = "Loaded openssl legacy provider.");
provider
})
.map_err(|error| error!(message = "Failed to load openssl legacy provider.", %error))
.ok()
}
4 changes: 4 additions & 0 deletions src/cli.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,10 @@ pub struct RootOpts {
default_value = "5000"
)]
pub allocation_tracing_reporting_interval_ms: u64,

/// Load the OpenSSL legacy provider.
#[arg(long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", default_value = "true")]
pub openssl_legacy_provider: bool,
}

impl RootOpts {
Expand Down