Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gRPC doesn't build with OpenSSL anymore - under Debian only. #10589

Closed
nicolasnoble opened this issue Apr 11, 2017 · 8 comments · Fixed by #11495
Closed

gRPC doesn't build with OpenSSL anymore - under Debian only. #10589

nicolasnoble opened this issue Apr 11, 2017 · 8 comments · Fixed by #11495
Assignees
@jboeuf

Comments

@nicolasnoble
Copy link
Member

Reproduction steps:

$ docker run -t -i debian:9 bash -l
# apt-get update
# apt-get -y dist-upgrade
# apt-get install -y git build-essential libssl-dev
# git clone --recursive https://github.com/grpc/grpc.git
# cd grpc
# EMBED_OPENSSL=false make static_c

Output:

src/core/lib/security/credentials/jwt/jwt_verifier.c: In function 'pkey_from_jwk':
src/core/lib/security/credentials/jwt/jwt_verifier.c:498:10: error: dereferencing pointer to incomplete type 'RSA {aka struct rsa_st}'
       rsa->n =
          ^~
Makefile:2446: recipe for target '/grpc/objs/opt/src/core/lib/security/credentials/jwt/jwt_verifier.o' failed
make: *** [/grpc/objs/opt/src/core/lib/security/credentials/jwt/jwt_verifier.o] Error 1
@jboeuf
Copy link
Contributor

jboeuf commented Apr 12, 2017

The problem is that this version of debian ships with OpenSSL 1.1 which has breaking changes in the API. See https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Downloads

If we want to support both 1.0.2 and 1.1, we need to link with an API compatibility layer that can be downloaded here: https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz

@nicolasnoble, do you have a strong opinion on what to do here? 1.1 has also deprecated other functions that we are using and causing some errors:

src/core/tsi/ssl_transport_security.c:1298:3: error: 'TLSv1_2_method' is deprecated [-Werror=deprecated-declarations]
   ssl_context = SSL_CTX_new(TLSv1_2_method());
   ^~~~~~~~~~~
In file included from /usr/include/openssl/ct.h:13:0,
                 from /usr/include/openssl/ssl.h:61,
                 from src/core/tsi/ssl_transport_security.c:59:
/usr/include/openssl/ssl.h:1608:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
 ^
src/core/tsi/ssl_transport_security.c: In function 'tsi_create_ssl_server_handshaker_factory_ex':
src/core/tsi/ssl_transport_security.c:1418:7: error: 'TLSv1_2_method' is deprecated [-Werror=deprecated-declarations]
       impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method());
       ^~~~
In file included from /usr/include/openssl/ct.h:13:0,
                 from /usr/include/openssl/ssl.h:61,
                 from src/core/tsi/ssl_transport_security.c:59:
/usr/include/openssl/ssl.h:1608:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */

@nicolasnoble
Copy link
Member Author

Hm, well, yes, we'd need to make it work for both OpenSSL 1.0.x and 1.1.x. I'm glad we've caught that early, because this will become a broader issue later on, especially with other build systems such as node.js.

Did they really break the API in a minor release ? That's... unfortunate. Isn't there any way to do anything that would work for both ? In worst case scenario, the compatibility layer may be a bit bloated, but fortunately, is easy to implement ourselves. The #if OPENSSL_VERSION_NUMBER < 0x10100000L is the way to go, with then code that differs between the two implementations.

@JelteF
Copy link

JelteF commented May 23, 2017

This is also an issue when compiling on Arch linux now.

@ndandanov
Copy link

Does any workaround exist? Perhaps using OpenSSL 1.0 would be sufficient.

@JelteF, I am also on Arch Linux. Did you manage to solve the issue and if yes, how?

Thank you!

@borgoat
Copy link

borgoat commented May 30, 2017
edited

I was following this but forgot to mention how I solved.
I tried configuring CMake to use OpenSSL 1.0 but got issues with other libraries, eventually I settled with the standard Makefile procedure, installing openssl-1.0 package, and exporting PKG_CONFIG_PATH to point to OpenSSL 1.0

See this for reference.

Basically the build becomes:

PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig make

Hope this'll help!

@ndandanov
Copy link

Thank you a lot, @giorgioazzinnaro!
The build went successfully with this export and also with export CFLAGS="-Wno-error" in order to omit the warnings for missing breaks.

@nicolasnoble nicolasnoble mentioned this issue Jun 6, 2017
Closed
@nwoeanhinnogaehr
Copy link

For anyone else who is confused as to why @giorgioazzinnaro's answer is not working, make sure you have pkg-config installed!

@jtattermusch
Copy link
Contributor

once this is fixed, we'll need a distrib test for this -> anything "supported" that doesn't have a test will be broken in the future.

@mehrdada mehrdada mentioned this issue Jun 9, 2017
Closed
agc-sec added a commit to agc-sec/grpc that referenced this issue Jun 14, 2017
@agc-sec
Adding a wrapper function to src/core/lib/security/credentials/jwt/jw…
1cd27b9 
…t_verifier.c in order to partially resolve grpc#10589.

There are a total of four files require modification and this is the only one in which a wrapper-type function is necessary.
This was referenced Jun 14, 2017
Merged
Closed
agc-sec added a commit to agc-sec/grpc that referenced this issue Jun 14, 2017
@agc-sec
Adding a wrapper function to src/core/lib/security/credentials/jwt/jw…
2f60472 
…t_verifier.c in order to partially resolve grpc#10589.

There are a total of four files require modification and this is the only one in which a wrapper-type function is necessary.
@admcrae admcrae mentioned this issue Jun 17, 2017
Closed
toanju pushed a commit to toanju/grpc that referenced this issue Oct 10, 2017
@agc-sec @toanju
Transitioning from the deprecated TLSv1_2_*method functions to instea…
62d680d 
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
shivamidow pushed a commit to shivamidow/grpc that referenced this issue Oct 24, 2017
@agc-sec
Transitioning from the deprecated TLSv1_2_*method functions to instea…
2906a68 
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
shivamidow pushed a commit to shivamidow/grpc that referenced this issue Nov 15, 2017
@agc-sec
Transitioning from the deprecated TLSv1_2_*method functions to instea…
3717c07 
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
jtattermusch pushed a commit to jtattermusch/grpc that referenced this issue Dec 15, 2017
@agc-sec @jtattermusch
Transitioning from the deprecated TLSv1_2_*method functions to instea…
f11e754 
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
@teganburns teganburns mentioned this issue Feb 3, 2018
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Oct 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jboeuf jboeuf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix compilation error associated with release of OpenSSL 1.1 agc-sec/grpc
8 participants
@JelteF @wenbozhu @jboeuf @nicolasnoble @nwoeanhinnogaehr @borgoat @jtattermusch @ndandanov