Use OpenSSL 3.0.x #95
Conversation
chrisburr
force-pushed
the
openssl-3
branch
3 times, most recently
from
fbc2d80
to
e6851f7
Compare
| @@ -53,7 +51,7 @@ specs: | |||
| - opensearch-dsl | |||
| # FIXME: We need to pin MySQL as 8.0.28 dropped support for TLS v1.0 and v1.1 | |||
| # In principle MySQL v5.7.10 supports TLSv1.2 but it wasn't enabled in LHCb at least | |||
| - mysql-client =8.0.27 | |||
| - mysql-client | |||
There was a problem hiding this comment.
As I'll probably forget by the time this is merged, this should be discussed at a BiLD (and the outdated comment should be removed).
construct.yaml
Outdated
| @@ -65,7 +63,6 @@ specs: | |||
| - gfal2-util >=1.7.1 | |||
| - fts3 >=3.12 | |||
| # Workaround for buggy 6.16.0 and 6.16.1 builds | |||
There was a problem hiding this comment.
| # Workaround for buggy 6.16.0 and 6.16.1 builds |
| @@ -53,7 +51,7 @@ specs: | |||
| - opensearch-dsl | |||
| # FIXME: We need to pin MySQL as 8.0.28 dropped support for TLS v1.0 and v1.1 | |||
| # In principle MySQL v5.7.10 supports TLSv1.2 but it wasn't enabled in LHCb at least | |||
| - mysql-client =8.0.27 | |||
There was a problem hiding this comment.
If you're running a databse older than MySQL v5.7.10+, MariaDB 5.5.41+ and MariaDB 10.0.15+ and using TLS this change will break. These releases are very old so hopefully everyone is updated 😉
|
@arrabito @andresailer @hmiyake @atsareg @marianne013 with this PR we will:
We need your "OK" before continuing. |
|
For our internal discussion in Belle2, what will be incompatible with v7r2 python3 client? |
Anything involving RPC or proxies (i.e. everything). The fix for it is DIRACGrid/DIRAC#6645. |
|
Thank you so much! I understand what will happen with coming DIRACOS2 releases... |
|
We are using in production rel 8.0.5 so it's fine for us wrt to break v7r2 python3 releases. The last point you mentioned is using TLS. How can I check that? Thank you. |
@arrabito If you connect with the mysql CLI and run You can also check which TLS versions the server is configured to allow using: |
@hmiyake Does this mean that it's okay for us to break v7r2 support from your perspective? Or would it be preferable to re-open DIRACGrid/DIRAC#6645? |
|
@chrisburr thank you. which seems to indicate that we don't use TSL, right? Even if I also get: Thank you. |
|
@chrisburr No, that was not final answer to your original question...just wanted to consider our solutions. I've informed this situation and possible scenario to my colleagues...could you wait a bit? At the latest we will answer during next week. If re-open of #6645 is one of the options, that's reassuring...of course it should be a kind of last resort...for example when severe security issue occurs in existing DIRACOS2... By the way, when is the earliest date do you switch to OpenSSL3? Just after all VOs agreed? |
|
@arrabito Yup, that looks all good so you shouldn't have any issues. Thanks for checking! 😄 |
As soon as possible. Since yesterday conda-forge is no longer building against OpenSSL 3 so we can't update any packages until we switch. |
|
I'm sorry to have kept you waiting...we concluded to give a green light to drop v7r2 support from DIRACOS2. Just for sure, do you think if we can deploy v7r2 with existing DIRACOS2 (i.e. 2.31-), even after OpenSSL3 DIRACOS2 is released? In any case, we agreed to move on supported v7.3 and v8.0 as soon as possible. |
|
Thanks for looking into it and confirming 😄
Yes you can, the only catch is that you're stuck on the current release. (Though you could use |
|
Thank you for prompt confirmation! I see, then we will use 2.30 by default... |
BEGINRELEASENOTES
CHANGE: Use OpenSSL 3.0.0
CHANGE: Use latest mysql client. This will break the use of TLS with servers older than MySQL v5.7.10+ (MariaDB 5.5.41+/MariaDB 10.0.15+). See #95.
CHANGE: Use latest arc client libs
ENDRELEASENOTES