ssl: remove aws-lc support#46023
Conversation
This was originally added to support ppc64, and was easier to add than OpenSSL support. Since then, OpenSSL support has been added, which also supports ppc64. Removing aws-lc to simplify the set of possible configurations and maintenance. Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
|
Does aws-lc provide anything of value now that we have OpenSSL support? If not we can remove some dependencies and build complications. If there are good reasons to keep this, let's document them (and close this PR). cc @Jenkins-J |
|
i think there is an arm+fips case for aws-lc also - iirc from changes to it - not sure if that can be accomodated - but also not sure that ppcle is the only consumer |
|
Claude says that openssl can do fips on ARM. |
AWS-LC in Envoy: Can it be dropped in favor of OpenSSL?Envoy supports 3 SSL libraries (ignoring FIPS variants): BoringSSL, AWS-LC, and OpenSSL. Why AWS-LC was addedAWS-LC was introduced in commit Conclusion: No, not without regressionReplacing AWS-LC with OpenSSL would cause several regressions:
The core blocker: FIPSAWS-LC exists in Envoy primarily as a FIPS provider. It's the only way to get a compile-time Additional considerations
What would be needed to drop itIf the project wanted to pursue this, it would require:
Key files involved
|
|
I don't think compile-time vs runtime FIPS is a big deal, as long as there's a way to make it work (which there is with OpenSSL). One motivation for this is that the boringssl code may start using a new CREDENTIALS API, which I don't believe is supported in aws-lc or openssl. We have people committed to writing the openssl-compat code needed for boringssl changes, but I don't think there's anyone signed up for large changes to aws-lc, nor do we have code/infrastructure setup to support it. So one way out of that is to drop aws-lc entirely. |
|
totally agree can we switch ci on properly for openssl? its no slower or more error prone than other parts, and its well supported |
|
... as a step towards it being officially supported i guess |
|
I don't think we need to couple these two concerns (removing aws-lc, vs level of support for openssl). In terms of timing, I don't think there's any reason to rush this, so I'd say let's wait until after the upcoming release if we decide to move forward with this PR. |
This was originally added to support ppc64, and was easier to add than OpenSSL support. Since then, OpenSSL support has been added, which also supports ppc64.
Removing aws-lc to simplify the set of possible configurations and maintenance.