librdkafka icon indicating copy to clipboard operation
librdkafka copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

ssl: support libssls with no ENGINE implementation

Open chrisnovakovic opened this issue 3 years ago • 16 comments

OpenSSL can be built without ENGINE support, and some libssl-compatible forks (e.g. BoringSSL) don't contain any ENGINE implementation at all - guard all references to the ENGINE API using OPENSSL_NO_ENGINE so these libssls can be used with librdkafka.

chrisnovakovic avatar Sep 08 '21 16:09 chrisnovakovic

Please rebase this on latest master, and verify that it builds correctly with LibreSSL.

Thanks!

edenhill avatar Apr 26 '22 08:04 edenhill

While rebasing on master, I also refactored the changes to src/rdkafka_ssl.c - now there's an OPENSSL_HAS_ENGINE macro that eliminates the need to repeat the conditional every time.

The following table lists the result of the 0124_openssl_invalid_engine test with various libssls before and after applying this PR:

libssl master #3535
OpenSSL 1.0.2u SKIPPED SKIPPED
OpenSSL 1.1.1m with ENGINE PASSED PASSED
OpenSSL 1.1.1m without ENGINE Build failure SKIPPED
LibreSSL 3.3.4 SKIPPED PASSED

SKIPPED indicates that the test was skipped with the reason Configuration property "ssl.engine.location" not supported in this build: OpenSSL with ENGINE support not available at build time.

Note that the test isn't skipped on LibreSSL any more - LibreSSL 3.3 does contain an ENGINE component, and it should probably be used if enabled (e.g. so it can make use of AES-NI).

chrisnovakovic avatar Apr 27 '22 23:04 chrisnovakovic

Some style-fixes still needed (run make style-fix)

edenhill avatar Apr 28 '22 12:04 edenhill

Unfortunately it seems that clang-format bounces between

        .unsupported = "OpenSSL with ENGINE support not available at build "   \
                       "time"

and

        .unsupported =                                                         \
            "OpenSSL with ENGINE support not available at build "              \
            "time"

as recommendations - using one always causes it to suggest the other. There's no way that's not a bug in clang-format, but I'll just reword that string so it fits on a single line.

chrisnovakovic avatar Apr 28 '22 22:04 chrisnovakovic

Tried to get clever by using a string that was unambiguously over the 80-column limit, but clang-format wasn't having any of that either. Reverted to a shorter, single-line message and it looks like we're there now. Sorry for all the noise!

chrisnovakovic avatar Apr 28 '22 22:04 chrisnovakovic

Thanks for all your work on this @chrisnovakovic!

We're a bit too close to the 1.9.0 release to merge this, but we'll make sure to include it in a 1.9.1 release (scheduled for June).

edenhill avatar May 03 '22 07:05 edenhill

Rebased on master and edited to account for the changes made to accommodate OpenSSL 3.0 - #4026 defines WITH_SSL_ENGINE (making most of this PR redundant), but it doesn't consider the value of OPENSSL_NO_ENGINE when defining WITH_SSL_ENGINE, so librdkafka still fails to link to libssls that don't have ENGINE support due to missing symbols.

chrisnovakovic avatar Jan 28 '23 23:01 chrisnovakovic

We need this change as well in order to build librdkafka.

martirosyanH avatar Jul 31 '23 13:07 martirosyanH

CLA assistant check
All committers have signed the CLA.

cla-assistant[bot] avatar Aug 21 '23 15:08 cla-assistant[bot]