New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update OpenSSL #8956
Update OpenSSL #8956
Conversation
Can we downgrade to 1.1.1 stable instead and wait for official 3.0.0 release (it's not even a beta yet) |
First I will finish this PR to see what will change. Then we can consider downgrading. |
Update of OpenSSL did not solve the TSan report: https://clickhouse-test-reports.s3.yandex.net/8956/b4d3ed83403033bdb293bd40f7f9055a6cf0d711/functional_stateless_tests_(thread)/stderr.log |
Performance test Ok. |
01017_uniqCombined_memory_usage
|
Update did not help. |
The issue is fixed. No errors after
|
Cannot provide an automated test case. It does not quickly reproduce even if I run
in parallel. |
Now I will try to replace it with version 1.1.1. |
Update OpenSSL (cherry picked from commit 86a4cca)
Update OpenSSL (cherry picked from commit 86a4cca)
Update OpenSSL (cherry picked from commit 86a4cca)
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Update OpenSSL to upstream master. Fixed the issue when TLS connections may fail with the message
OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
andSSL Exception: error:2400006E:random number generator::error retrieving entropy
. The issue was present in version 20.1.Detailed description:
OpenSSL is using
getrandom
method on newer kernels and/dev/random
on old kernels. The functiongetrandom
fromlibc
is linked if it is present and it compromises the portability of the built binary. If we just disable thegetrandom
method in configuration, OpenSSL will fallback to/dev/random
which is also considered Ok. But in fact, on newer Linux kernels,/dev/random
cannot provide sufficient amount of entropy (whilegetrandom
guarantee to succeed). To fix this issue while maintaining portability, we refergetrandom
not while static link stage but with dynamic symbol lookup (this method is also supported by OpenSSL). See the following patch: https://github.com/ClickHouse-Extras/openssl/pull/2/files