Switched from libressl to openssl

[alexey-milovidov]

Changelog category (leave one):

• Build/Testing/Packaging Improvement

Changelog entry (up to few sentences, required except for Non-significant/Documentation categories):
Switched from libressl to openssl. ClickHouse should support TLS 1.3 and SNI after this change. This fixes #8171.

[alexey-milovidov]

Still have some troubles both with old and new version:

libressl:

~/ClickHouse/build_gcc9$ /usr/bin/clickhouse local --query="SELECT * FROM url('https://danluu.com/', TSV, 's String')"
SSL Exception: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

openssl:

~/ClickHouse/build_gcc9$ dbms/programs/clickhouse local --query="SELECT * FROM url('https://danluu.com/', TSV, 's String')"
SSL Exception: error:14000410:SSL routines::sslv3 alert handshake failure

[alexey-milovidov]

Now OpenSSL works with AArch64 build:

milovidov@example:~/ClickHouse/build_output_folder$ docker run --network=host --rm -it -v/home/milovidov/ClickHouse/build_output_folder:/build multiarch/ubuntu-core:arm64-bionic /bin/bash
root@example:/# /build/clickhouse local --query "SELECT * FROM url('https://ya.ru/', TSV, 'x String');"

WARNING: Certificate verification failed
----------------------------------------
Issuer Name:  /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
Subject Name: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA

The certificate yielded the error: unable to get local issuer certificate

The error occurred in the certificate chain at position 2
Accept the certificate (y,n)? y
<!DOCTYPE html><html ...

[alexey-milovidov]

ASM version of SHA256 is not compatible with query profiler (unwinder):

Thread 82 "ParalInputsProc" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffe0eb7c700 (LWP 984386)]
libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::evaluateExpression (expression=0, addressSpace=..., registers=..., initialStackValue=initialStackValue@entry=0) at ../contrib/libunwind/src/DwarfInstructions.hpp:275
275       pint_t length = (pint_t)addressSpace.getULEB128(p, expressionEnd);
(gdb) bt
#0  libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::evaluateExpression (expression=0, addressSpace=..., registers=..., initialStackValue=initialStackValue@entry=0) at ../contrib/libunwind/src/DwarfInstructions.hpp:275
#1  0x000000000f34d800 in libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::getCFA (registers=..., prolog=..., addressSpace=...) at ../contrib/libunwind/src/DwarfInstructions.hpp:65
#2  libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::stepWithDwarf (addressSpace=..., pc=248681801, fdeStart=fdeStart@entry=140906008, registers=...) at ../contrib/libunwind/src/DwarfInstructions.hpp:170
#3  0x000000000f345766 in libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::stepWithDwarfFDE (this=0x7ffe0eb75700) at ../contrib/libunwind/src/Registers.hpp:343
#4  libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::step (this=0x7ffe0eb75700) at ../contrib/libunwind/src/UnwindCursor.hpp:1987
#5  libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::step (this=0x7ffe0eb75700) at ../contrib/libunwind/src/UnwindCursor.hpp:1975
#6  __unw_step (cursor=0x7ffe0eb75700) at ../contrib/libunwind/src/libunwind.cpp:161
#7  0x000000000f345904 in unw_backtrace (buffer=buffer@entry=0x7ffe0eb75900, size=size@entry=32) at ../contrib/libunwind/src/libunwind.cpp:297
#8  0x0000000008b2a8f0 in StackTrace::tryCapture (this=0x7ffe0eb758f0) at /usr/local/include/c++/9.1.0/array:234
#9  StackTrace::StackTrace (this=0x7ffe0eb758f0, signal_context=...) at ../dbms/src/Common/StackTrace.cpp:196
#10 0x0000000008b3f5c5 in DB::(anonymous namespace)::writeTraceInfo (timer_type=<optimized out>, info=<optimized out>, context=0x7ffe0eb76300) at ../dbms/src/Common/QueryProfiler.cpp:76
#11 <signal handler called>
#12 sha256_block_data_order_ssse3 () at contrib/openssl/crypto/sha/sha256-x86_64.s:1988
#13 0x000000000ec79e70 in SHA256_Final (
    md=0x7ffdfa6b0dd0 "\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024"..., c=0x7ffe0eb769a0) at ../contrib/openssl/include/crypto/md32_common.h:215
#14 0x0000000008f7ad74 in DB::FunctionStringHashFixedString<DB::SHA256Impl>::executeImpl(DB::Block&, std::vector<unsigned long, std::allocator<unsigned long> > const&, unsigned long, unsigned long) ()
#15 0x0000000008d450b3 in DB::ExecutableFunctionAdaptor::execute(DB::Block&, std::vector<unsigned long, std::allocator<unsigned long> > const&, unsigned long, unsigned long, bool) ()
#16 0x000000000c34102e in DB::ExpressionAction::execute (this=this@entry=0x7ffe25fa7040, block=..., dry_run=dry_run@entry=false) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#17 0x000000000c3425b5 in DB::ExpressionActions::execute (this=0x7ffe25fb5010, block=..., dry_run=dry_run@entry=false) at ../dbms/src/Interpreters/ExpressionActions.cpp:760
#18 0x000000000c4f9770 in DB::FilterBlockInputStream::readImpl (this=0x7ffe25f94210) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#19 0x000000000c1939cf in DB::IBlockInputStream::read (this=0x7ffe25f94210) at ../dbms/src/DataStreams/IBlockInputStream.cpp:61
#20 0x000000000c4fbf77 in DB::ExpressionBlockInputStream::readImpl (this=0x7ffe25ff2210) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#21 0x000000000c1939cf in DB::IBlockInputStream::read (this=0x7ffe25ff2210) at ../dbms/src/DataStreams/IBlockInputStream.cpp:61
#22 0x000000000c55130e in DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::loop (thread_num=<optimized out>, this=<optimized out>) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#23 DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread (this=0x7ffe25ff4680, thread_group=..., thread_num=12) at ../dbms/src/DataStreams/ParallelInputsProcessor.h:208
#24 0x000000000c551d5b in std::__invoke_impl<void, void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>* const&, std::shared_ptr<DB::ThreadGroupStatus> const&, unsigned long const&> (__t=@0x7ffe0b400038: 0x7ffe25ff4680, __f=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/ext/atomicity.h:96
#25 std::__invoke<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>* const&, std::shared_ptr<DB::ThreadGroupStatus> const&, unsigned long const&> (__fn=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/bits/invoke.h:95
#26 std::__apply_impl<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), std::tuple<DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long> const&, 0ul, 1ul, 2ul> (__t=..., __f=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/tuple:1684
#27 std::apply<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), std::tuple<DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long> const&> (__t=..., __f=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/tuple:1694
#28 ThreadFromGlobalPool::ThreadFromGlobalPool<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long&>(void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*&&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*&&, std::shared_ptr<DB::ThreadGroupStatus>&&, unsigned long&)::{lambda()#1}::operator()() const (this=0x7ffe0b400000) at ../dbms/src/Common/ThreadPool.h:156
#29 0x0000000008b4db65 in std::function<void ()>::operator()() const (this=0x7ffe0eb775e0) at /usr/local/include/c++/9.1.0/bits/std_function.h:685
#30 ThreadPoolImpl<std::thread>::worker (this=0xf6d0840 <GlobalThreadPool::instance()::ret>, thread_it=...) at ../dbms/src/Common/ThreadPool.cpp:221
#31 0x000000000f316550 in execute_native_thread_routine () at ../../../../../gcc-9.1.0/libstdc++-v3/src/c++11/thread.cc:80
#32 0x00007ffff79b56db in start_thread (arg=0x7ffe0eb7c700) at pthread_create.c:463
#33 0x00007ffff72d288f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[alexey-milovidov]

The issue is caused by wrong "CFA expression".
Something around line 809 in crypto/sha/asm/sha512-x86_64.pl.

I have disabled ASM version of SHA256.
Alternative solution is to remove all .cfi_* directives from assembly source code (btw, libressl doesn't have them at all). The cost is that stack traces will end on that function.

[filimonov]

TLSv1.3

• OpenSSL 1.1.1 release includes support for TLSv1.3. [source]
  (and it's a surprise for me that libressl still don't have that: Add support for TLS 1.3 libressl/portable#228 )

SNI

• opennssl 0.9.8f (released 11 Oct 2007) – not compiled in by default, can be compiled in with config option ‘–enable-tlsext’.
• opennssl 0.9.8j (released 07 Jan 2009) – compiled in by default

[source]