Support OpenSSL 3.0 #1596
Support OpenSSL 3.0 #1596
Conversation
Co-authored-by: Tom Lee <github@tomlee.co>
Co-authored-by: Tom Lee <github@tomlee.co>
kentonv
force-pushed
the
openssl3
branch
3 times, most recently
from
f5a4469
to
4fdc121
Compare
|
Well the g++-12 build proves OpenSSL 3 now works, but I have no idea why the clang-14 build isn't linking libc++ correctly. I probably need to play with this on an Ubuntu VM / container rather than iterate in CI. Not going to do that tonight. |
|
Thanks for tackling this! :) Picked this PR on top of 0.10.3 in conda-forge/capnproto-feedstock#32, but still failing on linux with: Similarly on osx: Both builds against openssl 1.1.1 pass the tests. It's completely possible that some of the other intervening changes on master are also necessary (it wouldn't be a problem to wait for a new version), but I just wanted to provide some additional testing. :) |
|
@h-vetinari I'm probably not going to be able to debug a problem that doesn't repro in our CI. That said, if you could do a debug build so that the stack trace is properly symbolized, that might help narrow down the issue. Also, "No such file or directory" is suspicious; if you could use |
An EOF received without a proper shutdown handshake should be treated as an error, otherwise truncation attacks are possible. The way this is reported changed between OpenSSL 1.x vs. 3.x. Apparently, OpenSSL 1.x programs widely failed to consider this an error -- KJ being an example, up until now -- hence the OpenSSL developers chose to strengthen the error reporting to make people take it more seriously. Here I've decided to make it an error even when using OpenSSL 1.x, as we always should have done anyway. Co-authored-by: Tom Lee <github@tomlee.co>
(This isn't related to OpenSSL 3.0 but is in this PR because it's needed to update CI to newer Ubuntu...)
We couldn't do this before because it uses OpenSSL 3, but that should work now. I went ahead and made it use the latest compiler versions supported in this release. We still use Ubuntu 20.04 to test older compilers, since 22.04 doesn't support compilers that old anymore.
|
OK, got CI working. AFAICT this makes KJ work correctly with OpenSSL 3. cc @thomaslee |
| # and started issuing deprecating warnings for -fcoroutines-ts. (I'm not sure which version it | ||
| # was exactly since our CI jumped from 10 to 14, so I'm somewhat arbitrarily choosing 14 as the | ||
| # cutoff.) | ||
| export CXXFLAGS="$CXXFLAGS -std=c++20 -stdlib=libc++" |
There was a problem hiding this comment.
I wonder if we lose any code coverage by using -std=c++20 instead of gnu++20? Maybe we don't actually use any GNU extensions that clang doesn't provide by default.
There was a problem hiding this comment.
I would expect that if we were using any "GNU extensions" that aren't enabled for -std=c++20, we'd see errors, because I'm not aware of us using #ifdefs that somehow distinguish whether GNU extensions are enabled. So since we see no errors, I suspect it doesn't really make a difference?
This is based on #1434, but I went ahead and made KJ treat unexpected EOF as an error -- even with OpenSSL 1.x -- since this is technically important to prevent truncation attacks.
(It turns out that lots of apps than use OpenSSL 1.x are vulnerable to truncation attacks, which is why OpenSSL 3 decided to strengthen the error reporting to make it clearer that this situation should be an error, but this was considered a breaking change. So KJ is not alone in having this bug, but I went ahead and fixed it even when using OpenSSL 1.x.)
NOTE: I'm flying blind here as my local Debian machine is still on OpenSSL 1.x. Gonna do a little CI-driven-development. I'll mark this no longer a draft once I get CI passing...