-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl: upgrade FIPS boringssl version #27087
Conversation
Signed-off-by: Greg Greenway <ggreenway@apple.com>
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Looks like a fragile change detector test has failed. /wait |
Signed-off-by: Greg Greenway <ggreenway@apple.com>
/retest |
Retrying Azure Pipelines: |
* main: (175 commits) xds: add config for pick_first LB policy extension (envoyproxy#26952) ci: run Kotlin tests with signal_trace disabled (envoyproxy#27090) ssl: upgrade FIPS boringssl version (envoyproxy#27087) Add createPath to Filesystem abstraction. (envoyproxy#27052) mobile/ci: Increase test_timeout for ios tests (envoyproxy#27044) [mobile]remove Java and GMScore impl from Cronvoy (envoyproxy#27039) Fix compliance issues for iOS builds (envoyproxy#27027) docs: fix the license URL of the dependency "dd-trace-cpp" (envoyproxy#27054) ci/mobile: Hide CI progress in .bazelrc (envoyproxy#27045) thrift_proxy: add access log support for local reply (envoyproxy#27057) ci: Consolidate artifact targets (envoyproxy#27079) lb: moving maglev to extensions (envoyproxy#27037) Overload Manager: LoadShedPoint for HCM decode headers (envoyproxy#26769) Plumb ServerFactoryContext into header validator factory (envoyproxy#27008) access_log: use AccessLogType::NotSet instead of default value (envoyproxy#27058) access_log: pass access log type parameter to evaluate function (envoyproxy#27063) Remove unused member from GrpcStream (envoyproxy#27055) tools: setup build in local_fix_format (envoyproxy#27060) generic proxy: virtual host support for the generic proxy routing (envoyproxy#26932) deps: Bump pytooling publishing deps (envoyproxy#27059) ...
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Eskin <ryan.eskin89@protonmail.com>
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
* ssl: upgrade FIPS boringssl version Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Follow up from: - envoyproxy#27087 - envoyproxy#27622 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
Follow up from: - envoyproxy#27087 - envoyproxy#27622 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
Follow up from: - envoyproxy#27087 - envoyproxy#27622 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
Commit Message: QUICHE QUIC code and libraries are supposed to be hidden behind macro ENVOY_ENABLE_QUIC and envoy_select_enable_http3(). Any violation should have resulted in open SSL FIPS build error because of the interface incompatibility. But recent FIPS dependency update #27087 resolved the incompatibility. So upstream_request_lib unhide QUIC code accidentally. This change fix the dependency leakage and change some critical QUIC libraries to be wrapped in envoy_select_enable_http3 which skips building the libraries under bazel option //bazel:http3=False to avoid future leakage. Risk Level: low Testing: existing builds are happy Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A Signed-off-by: Dan Zhang <danzh@google.com> Co-authored-by: Dan Zhang <danzh@google.com>
Commit Message: Update FIPS BoringSSL version to 20210429
Additional Description:
Risk Level: low
Testing: existing tests
Docs Changes: none
Release Notes: none
Platform Specific Features: no changes
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]