Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gRPC doesn't build with OpenSSL anymore - under Debian only. #10589

Closed
nicolasnoble opened this issue Apr 11, 2017 · 8 comments · Fixed by #11495

Comments

@nicolasnoble
Copy link
Contributor

commented Apr 11, 2017

Reproduction steps:

$ docker run -t -i debian:9 bash -l
# apt-get update
# apt-get -y dist-upgrade
# apt-get install -y git build-essential libssl-dev
# git clone --recursive https://github.com/grpc/grpc.git
# cd grpc
# EMBED_OPENSSL=false make static_c

Output:

src/core/lib/security/credentials/jwt/jwt_verifier.c: In function 'pkey_from_jwk':
src/core/lib/security/credentials/jwt/jwt_verifier.c:498:10: error: dereferencing pointer to incomplete type 'RSA {aka struct rsa_st}'
       rsa->n =
          ^~
Makefile:2446: recipe for target '/grpc/objs/opt/src/core/lib/security/credentials/jwt/jwt_verifier.o' failed
make: *** [/grpc/objs/opt/src/core/lib/security/credentials/jwt/jwt_verifier.o] Error 1
@jboeuf

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2017

The problem is that this version of debian ships with OpenSSL 1.1 which has breaking changes in the API. See https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Downloads

If we want to support both 1.0.2 and 1.1, we need to link with an API compatibility layer that can be downloaded here: https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz

@nicolasnoble, do you have a strong opinion on what to do here? 1.1 has also deprecated other functions that we are using and causing some errors:

src/core/tsi/ssl_transport_security.c:1298:3: error: 'TLSv1_2_method' is deprecated [-Werror=deprecated-declarations]
   ssl_context = SSL_CTX_new(TLSv1_2_method());
   ^~~~~~~~~~~
In file included from /usr/include/openssl/ct.h:13:0,
                 from /usr/include/openssl/ssl.h:61,
                 from src/core/tsi/ssl_transport_security.c:59:
/usr/include/openssl/ssl.h:1608:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
 ^
src/core/tsi/ssl_transport_security.c: In function 'tsi_create_ssl_server_handshaker_factory_ex':
src/core/tsi/ssl_transport_security.c:1418:7: error: 'TLSv1_2_method' is deprecated [-Werror=deprecated-declarations]
       impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method());
       ^~~~
In file included from /usr/include/openssl/ct.h:13:0,
                 from /usr/include/openssl/ssl.h:61,
                 from src/core/tsi/ssl_transport_security.c:59:
/usr/include/openssl/ssl.h:1608:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
@nicolasnoble

This comment has been minimized.

Copy link
Contributor Author

commented Apr 12, 2017

Hm, well, yes, we'd need to make it work for both OpenSSL 1.0.x and 1.1.x. I'm glad we've caught that early, because this will become a broader issue later on, especially with other build systems such as node.js.

Did they really break the API in a minor release ? That's... unfortunate. Isn't there any way to do anything that would work for both ? In worst case scenario, the compatibility layer may be a bit bloated, but fortunately, is easy to implement ourselves. The #if OPENSSL_VERSION_NUMBER < 0x10100000L is the way to go, with then code that differs between the two implementations.

@JelteF

This comment has been minimized.

Copy link

commented May 23, 2017

This is also an issue when compiling on Arch linux now.

@ndandanov

This comment has been minimized.

Copy link

commented May 30, 2017

Does any workaround exist? Perhaps using OpenSSL 1.0 would be sufficient.

@JelteF, I am also on Arch Linux. Did you manage to solve the issue and if yes, how?

Thank you!

@giorgioazzinnaro

This comment has been minimized.

Copy link

commented May 30, 2017

I was following this but forgot to mention how I solved.
I tried configuring CMake to use OpenSSL 1.0 but got issues with other libraries, eventually I settled with the standard Makefile procedure, installing openssl-1.0 package, and exporting PKG_CONFIG_PATH to point to OpenSSL 1.0

See this for reference.

Basically the build becomes:

PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig make

Hope this'll help!

@ndandanov

This comment has been minimized.

Copy link

commented May 31, 2017

Thank you a lot, @giorgioazzinnaro!
The build went successfully with this export and also with export CFLAGS="-Wno-error" in order to omit the warnings for missing breaks.

@nwoeanhinnogaehr

This comment has been minimized.

Copy link

commented Jun 8, 2017

For anyone else who is confused as to why @giorgioazzinnaro's answer is not working, make sure you have pkg-config installed!

@jtattermusch

This comment has been minimized.

Copy link
Contributor

commented Jun 8, 2017

once this is fixed, we'll need a distrib test for this -> anything "supported" that doesn't have a test will be broken in the future.

@mehrdada mehrdada referenced this issue Jun 9, 2017
agc-sec added a commit to agc-sec/grpc that referenced this issue Jun 14, 2017
…t_verifier.c in order to partially resolve grpc#10589.

There are a total of four files require modification and this is the only one in which a wrapper-type function is necessary.
agc-sec added a commit to agc-sec/grpc that referenced this issue Jun 14, 2017
…t_verifier.c in order to partially resolve grpc#10589.

There are a total of four files require modification and this is the only one in which a wrapper-type function is necessary.
toanju added a commit to toanju/grpc that referenced this issue Oct 10, 2017
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
shivamidow added a commit to shivamidow/grpc that referenced this issue Oct 24, 2017
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
shivamidow added a commit to shivamidow/grpc that referenced this issue Nov 15, 2017
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
jtattermusch added a commit to jtattermusch/grpc that referenced this issue Dec 15, 2017
…d use TLS_*method as appropriate and follow up with a set_min/max version call.

TLSv1_2_*methods are deprecated in OpenSSL 1.1.

This is part 2 of 2 for addressing grpc#10589
@lock lock bot locked as resolved and limited conversation to collaborators Oct 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
8 participants
You can’t perform that action at this time.