setup-ocaml icon indicating copy to clipboard operation
setup-ocaml copied to clipboard

Published 20 hours ago verified publisher icon ocaml

OpenSSL version in Windows runners

Open aantron opened this issue 1 year ago • 5 comments

Building on windows-latest, installing package ssl 0.7.0 as a dependency results in

# ssl_stubs.c:311:32: error: 'SSL_OP_NO_TLSv1_3' undeclared here (not in a function); did you mean 'SSL_OP_NO_TLSv1_1'?
#   311 |                                SSL_OP_NO_TLSv1_3};
#       |                                ^~~~~~~~~~~~~~~~~
#       |                                SSL_OP_NO_TLSv1_1
# ssl_stubs.c: In function 'get_method':
# ssl_stubs.c:319:14: warning: implicit declaration of function 'TLS_client_method'; did you mean 'DTLS_client_method'? [-Wimplicit-function-declaration]
#   319 |     method = TLS_client_method();
#       |              ^~~~~~~~~~~~~~~~~
#       |              DTLS_client_method
# ssl_stubs.c:319:12: warning: assignment to 'const SSL_METHOD *' {aka 'const struct ssl_method_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
#   319 |     method = TLS_client_method();
#       |            ^
# ssl_stubs.c:323:14: warning: implicit declaration of function 'TLS_server_method'; did you mean 'DTLS_server_method'? [-Wimplicit-function-declaration]
#   323 |     method = TLS_server_method();
#       |              ^~~~~~~~~~~~~~~~~
#       |              DTLS_server_method
# ssl_stubs.c:323:12: warning: assignment to 'const SSL_METHOD *' {aka 'const struct ssl_method_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
#   323 |     method = TLS_server_method();
#       |            ^
# ssl_stubs.c:327:14: warning: implicit declaration of function 'TLS_method'; did you mean 'DTLS_method'? [-Wimplicit-function-declaration]
#   327 |     method = TLS_method();
#       |              ^~~~~~~~~~
#       |              DTLS_method
# ssl_stubs.c:327:12: warning: assignment to 'const SSL_METHOD *' {aka 'const struct ssl_method_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
#   327 |     method = TLS_method();
#       |            ^
# ssl_stubs.c: In function 'ocaml_ssl_version_of_tls_version':
# ssl_stubs.c:358:8: error: 'TLS1_3_VERSION' undeclared (first use in this function); did you mean 'TLS1_2_VERSION'?
#   358 |   case TLS1_3_VERSION:
#       |        ^~~~~~~~~~~~~~
#       |        TLS1_2_VERSION
# ssl_stubs.c:358:8: note: each undeclared identifier is reported only once for each function it appears in
# ssl_stubs.c: In function 'tls_version_of_ocaml_ssl_version':
# ssl_stubs.c:391:11: error: 'TLS1_3_VERSION' undeclared (first use in this function); did you mean 'TLS1_2_VERSION'?
#   391 |     ret = TLS1_3_VERSION;
#       |           ^~~~~~~~~~~~~~
#       |           TLS1_2_VERSION
# ssl_stubs.c: In function 'ocaml_ssl_ctx_set_min_proto_version':
# ssl_stubs.c:413:8: warning: implicit declaration of function 'SSL_CTX_set_min_proto_version'; did you mean 'ocaml_ssl_ctx_set_min_proto_version'? [-Wimplicit-function-declaration]
#   413 |   if (!SSL_CTX_set_min_proto_version(ssl_context, ssl_protocol)) {
#       |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |        ocaml_ssl_ctx_set_min_proto_version
# ssl_stubs.c: In function 'ocaml_ssl_ctx_get_min_proto_version':
# ssl_stubs.c:425:21: warning: implicit declaration of function 'SSL_CTX_get_min_proto_version'; did you mean 'ocaml_ssl_ctx_get_min_proto_version'? [-Wimplicit-function-declaration]
#   425 |   int tls_version = SSL_CTX_get_min_proto_version(ssl_context);
#       |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |                     ocaml_ssl_ctx_get_min_proto_version
# ssl_stubs.c: In function 'ocaml_ssl_ctx_set_max_proto_version':
# ssl_stubs.c:[453](https://github.com/aantron/dream/actions/runs/10683497296/job/29611702223?pr=337#step:5:454):8: warning: implicit declaration of function 'SSL_CTX_set_max_proto_version'; did you mean 'ocaml_ssl_ctx_set_max_proto_version'? [-Wimplicit-function-declaration]
#   453 |   if (!SSL_CTX_set_max_proto_version(ssl_context, ssl_protocol)) {
#       |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |        ocaml_ssl_ctx_set_max_proto_version
# ssl_stubs.c: In function 'ocaml_ssl_ctx_get_max_proto_version':
# ssl_stubs.c:465:21: warning: implicit declaration of function 'SSL_CTX_get_max_proto_version'; did you mean 'ocaml_ssl_ctx_get_max_proto_version'? [-Wimplicit-function-declaration]
#   465 |   int tls_version = SSL_CTX_get_max_proto_version(ssl_context);
#       |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |                     ocaml_ssl_ctx_get_max_proto_version
# ssl_stubs.c: In function 'set_protocol':
# ssl_stubs.c:485:19: error: 'TLS1_3_VERSION' undeclared (first use in this function); did you mean 'TLS1_2_VERSION'?
#   485 |   int max_proto = TLS1_3_VERSION;
#       |                   ^~~~~~~~~~~~~~
#       |                   TLS1_2_VERSION

We encountered this during https://github.com/aantron/dream/pull/337, I've opened https://github.com/savonet/ocaml-ssl/issues/155 and https://github.com/savonet/ocaml-ssl/issues/156 to try to observe it from the ssl repo. It appears that an old version of libssl is being used, pre-1.1.1. Do you know where the libssl that is being linked with is coming from? Is this something that should be addressed by setup-ocaml?

aantron avatar Sep 03 '24 15:09 aantron

We've reproduced this in the ocaml-ssl repo with @anmonteiro in https://github.com/savonet/ocaml-ssl/pull/156, with the log here. Could you comment on what is needed to link against a modern libssl in the Windows runners with setup-ocaml, as this would be needed for testing any relatively serious networked application in GitHub Actions, not just in Dream?

aantron avatar Sep 05 '24 13:09 aantron

It seems Github Actions are stuck with a very old version of OpenSSL: actions/runner-images#6830

vouillon avatar Sep 21 '24 13:09 vouillon

Is setup-ocaml linking against some OpenSSL installed by Cygwin, or some kind of more "native" OpenSSL on Windows?

aantron avatar Sep 23 '24 10:09 aantron

Rather than setup-ocaml; opam is linking against to OpenSSL installed by Cygwin. It should be more of an issue on the savonet/ocaml-ssl side, and should work if proper support is added. CC: @dra27

smorimoto avatar Oct 04 '24 12:10 smorimoto

This would seem to be an issue with which OpenSSL is installed by Cygwin, in that case, and what conf-libssl is doing.

aantron avatar Oct 04 '24 19:10 aantron

It is using a mingw build of OpenSSL (from mingw64-x86_64-openssl but the “stable” version is very out of date.

setup-ocaml could mitigate this if either a mechanism to specify additional Cygwin packages as an input is added or, cheekily, if mingw64-x86_64-openssl=1.1.1w-0.1 is added to https://github.com/ocaml/setup-ocaml/blob/master/packages/setup-ocaml/src/windows.ts#L91.

It has to be OpenSSL 1.1.1w as there seems to be a packaging error in the 3.x packages (but that’s enough for the OCaml ssl package). I’ve asked the maintainer to mark the 1.1.1 package as stable and hopefully fix the 3.x package (see here)

dra27 avatar Oct 27 '24 11:10 dra27

Can't we just update our depext to a specific version meanwhile?

smorimoto avatar Nov 09 '24 19:11 smorimoto

Yes - by installing both mingw64-x86_64-openssl=1.1.1w-0.1 and mingw64-i686-openssl=1.1.1w-0.1 in windows.ts (as above)

dra27 avatar Nov 11 '24 10:11 dra27