Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wolf ssl #10227

Closed
wants to merge 30 commits into from
Closed

Wolf ssl #10227

wants to merge 30 commits into from

Conversation

thiagoftsm
Copy link
Contributor

@thiagoftsm thiagoftsm commented Nov 10, 2020
edited
Loading

Summary

Fixes #6509

This PR fixes the issue #6509 bringing support for WolfSSL library, the code also brings some changes on our code for one day Netdata becomes completely independent of OpenSSL, but this is not possible now, because WolfSSL does not have all features that OpenSSL according their documentation.

Component Name

WebServer
DBengine
ACLK
installer

Test Plan

1 - Compile wolfssl on a system that does not have exporters like graphana, kinesis, mongodb or pubsub, because they can be linked against OpenSSL:

unzip wolfssl-master.zip
./autogen.sh
./configure --prefix=/usr --enable-all --enable-static
make
make install

These steps will install the libraries at /usr/lib/, that is the official directory of OpenWRT, but for some distributions, it will be necessary to create a symbolic link at /usr/lib64/.

2 - Execute the following tests with this PR:

All tests (Except dbengine)

On parent:

  • Compile the PR with options '--use-wolfssl', '--disable-cloud', '--disable-dbengine'.
  • Verify that Netdata was linked only with wolfssl
  • Create the pair certificate and key, and move your files to the correct destination.
  • Force connection with tls
  • Configure Stream
  • Configure exporting.conf to send data for an external storage.
  • Start Netdata.
  • Access Netdata dashboard.

On child:

  • Compile the PR with options '--use-wolfssl', '--disable-cloud', '--disable-dbengine'.
  • Configure Stream
  • Start Netdata

Dbengine and cloud

On parent:

  • Compile the PR with options '--use-wolfssl'
  • Configure your netdata.conf to use memory mode = dbengine.
  • Start Netdata

We won't have cloud working, because libwebsockets does not recognize a necessary function that was renamed by WolfSSL, but we should have dbengine working without problems.

Everything is working when compiled against OpenSSL

  • Compile this PR without the option --use-wolfssl. Everything will work, including the cloud.
Additional Information

WolfSSL is not in the same level that OpenSSL is right now, and this is explicit in their documentation, but without any doubts we can generate smaller binaries with it.

Scenario options Expected
both, OpenSSL and wolfSSL are installed '--use-wolfssl' Netdata will be linked only against WolfSSL and everything except the cloud must work.
both, OpenSSL and wolfSSL are installed Netdata will be linked only against OpenSSL and everything must work.
only OpenSSL is installed. for any combination everything needs to work, because Netdata will be linked against OpenSSL
only WolfSSL is installed. for any combination Cloud won't work, but the rest should work.

@thiagoftsm thiagoftsm marked this pull request as draft November 10, 2020 20:29
@thiagoftsm
Copy link
Contributor Author

This PR is set to draft until the documentation to be adjusted.

@github-actions github-actions bot added area/build Build system (autotools and cmake). area/collectors Everything related to data collection area/daemon area/database area/docs area/packaging Packaging and operating systems support area/streaming area/web labels Nov 10, 2020
@thiagoftsm thiagoftsm marked this pull request as ready for review November 11, 2020 00:11
@knatsakis knatsakis removed their request for review November 11, 2020 15:30
@vlvkobal
Copy link
Contributor

There is a problem with CentOS 7 and Ubuntu 16.04 in our CI

  CC       libnetdata/socket/security.o
In file included from libnetdata/socket/../socket/security.h:27:0,
                 from libnetdata/socket/../libnetdata.h:314,
                 from libnetdata/socket/security.c:1:
libnetdata/socket/security.c:120:5: error: expected declaration specifiers or '...' before '(' token
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     ^
In file included from libnetdata/socket/../socket/security.h:27:0,
                 from libnetdata/socket/../libnetdata.h:314,
                 from libnetdata/socket/security.c:1:
libnetdata/socket/security.c:120:5: error: expected declaration specifiers or '...' before numeric constant
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     ^
In file included from libnetdata/socket/../socket/security.h:27:0,
                 from libnetdata/socket/../libnetdata.h:314,
                 from libnetdata/socket/security.c:1:
libnetdata/socket/security.c:120:5: error: expected declaration specifiers or '...' before '(' token
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     ^
In file included from /usr/include/x86_64-linux-gnu/sys/param.h:23:0,
                 from /usr/include/resolv.h:62,
                 from libnetdata/socket/../libnetdata.h:98,
                 from libnetdata/socket/security.c:1:
libnetdata/socket/security.c:120:5: error: expected declaration specifiers or '...' before '(' token
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     ^
libnetdata/socket/security.c:121:1: error: expected identifier or '(' before '}' token
 }
 ^
Makefile:4579: recipe for target 'libnetdata/socket/security.o' failed
make[2]: *** [libnetdata/socket/security.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/netdata'
make[1]: *** [all-recursive] Error 1
Makefile:5261: recipe for target 'all-recursive' failed
make[1]: Leaving directory '/netdata'
make: *** [all] Error 2
Makefile:2744: recipe for target 'all' failed
Error: Process completed with exit code 2.

vlvkobal
vlvkobal reviewed Nov 13, 2020
View reviewed changes
web/server/README.md Outdated Show resolved Hide resolved
vlvkobal
vlvkobal reviewed Nov 16, 2020
View reviewed changes
web/server/README.md Outdated Show resolved Hide resolved
@vlvkobal
Copy link
Contributor

There are a lot of warnings in config.log:

conftest.c:70: warning: "HAVE_X509_VERIFY_PARAM_set1_host" redefined
   70 | #define HAVE_X509_VERIFY_PARAM_set1_host 1
      |
conftest.c:68: note: this is the location of the previous definition
   68 | #define HAVE_X509_VERIFY_PARAM_set1_host 0
      |

vlvkobal
vlvkobal suggested changes Nov 16, 2020
View reviewed changes
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
configure.ac Outdated Show resolved Hide resolved
@vlvkobal
Copy link
Contributor

vlvkobal commented Nov 16, 2020
edited
Loading

Please test your PR with all combinations of installed SSL libraries.

  • only OpenSSL is installed.
    • with '--use-wolfssl'.
    • without '--use-wolfssl'.
  • only wolfSSL is installed.
    • with '--use-wolfssl'.
    • without '--use-wolfssl'.
  • both, OpenSSL and wolfSSL are installed
    • with '--use-wolfssl'.
    • without '--use-wolfssl'.

Please describe the behavior of the '--use-wolfssl' flag.

vlvkobal
vlvkobal reviewed Nov 16, 2020
View reviewed changes
libnetdata/socket/security.c Outdated Show resolved Hide resolved
libnetdata/socket/security.c Show resolved Hide resolved
@thiagoftsm
Copy link
Contributor Author

There are a lot of warnings in config.log:

conftest.c:70: warning: "HAVE_X509_VERIFY_PARAM_set1_host" redefined
   70 | #define HAVE_X509_VERIFY_PARAM_set1_host 1
      |
conftest.c:68: note: this is the location of the previous definition
   68 | #define HAVE_X509_VERIFY_PARAM_set1_host 0
      |

I removed completely the test for the function when wolf_ssl is used, because it has problems when linked against libwebsockets.

@thiagoftsm
Copy link
Contributor Author

Please test your PR with all combinations of installed SSL libraries.

* only OpenSSL is installed.
  
  * with '--use-wolfssl'.
  * without '--use-wolfssl'.

* only wolfSSL is installed.
  
  * with '--use-wolfssl'.
  * without '--use-wolfssl'.

* both, OpenSSL and wolfSSL are installed
  
  * with '--use-wolfssl'.
  * without '--use-wolfssl'.

Please describe the behavior of the '--use-wolfssl' flag.

I updated the OP with the expected results.

@thiagoftsm
wolf_ssl: Dbengine with wolfssl
c4c911a
@thiagoftsm
wolf_ssl: Fix ACLK compilation
6a0c6aa
@thiagoftsm
wolf_ssl: Fix stream
61821c2
@thiagoftsm
wolf_ssl: Remove cloud from wolfssl
dae0e21
@thiagoftsm
wolf_ssl: documentation
9a785d5
@thiagoftsm
wolf_ssl: Adjust library for OpenWRT
236ed28
@thiagoftsm
wolf_ssl: Fix shellscript
3ed8a79
@thiagoftsm
wolf_ssl: Update documentation
9468618
@thiagoftsm
wolf_ssl: Fix compilation
f833c81
@thiagoftsm
wolf_ssl: Fix bracket position
2759912
@thiagoftsm
wolf_ssl: Fix documentation
8ca51ad
@thiagoftsm
wolf_ssl: Add new line to the documentation
17264cd
@thiagoftsm
wolf_ssl: Adjust configure.ac
36e15d4
@thiagoftsm
wolf_ssl: Remove HAVE_X509_VERIFY_PARAM_set1_host from wolf_ssl
e385d30
@thiagoftsm
wolf_ssl: Update the ifdef variable
d0bce97
@thiagoftsm
wolf_ssl: Update configure.ac to have cloud when only OpenSSL is inst…
962ed62 
…alled
@thiagoftsm
wolf_ssl: remove comments and move test
bb70967
@thiagoftsm
wolf_ssl: remove unecessary reset
3d52c81
@thiagoftsm
wolf_ssl: update test
701a6b1
@thiagoftsm
wolf_ssl: update test
f759dad
@thiagoftsm
wolf_ssl: update documentation giving additional information about co…
0a8ea6f 
…mpilation errors
@thiagoftsm
wolf_ssl: Update test
93da13b
@thiagoftsm
wolf_ssl: Fix documentation typo
b7e058d
@ilyam8 ilyam8 removed their request for review November 30, 2020 15:27
@thiagoftsm
Copy link
Contributor Author

I am closing this PR, and I will start another with the current master branch.

@thiagoftsm thiagoftsm closed this Jan 13, 2022
@thiagoftsm thiagoftsm deleted the wolf_ssl branch March 27, 2023 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilyam8 ilyam8 ilyam8 left review comments

@vlvkobal vlvkobal vlvkobal left review comments

@Ferroin Ferroin Awaiting requested review from Ferroin Ferroin is a code owner

@joelhans joelhans Awaiting requested review from joelhans

@underhood underhood Awaiting requested review from underhood

@mfundul mfundul Awaiting requested review from mfundul

@stelfrag stelfrag Awaiting requested review from stelfrag

@ktsaou ktsaou Awaiting requested review from ktsaou

@vkalintiris vkalintiris Awaiting requested review from vkalintiris

Assignees
No one assigned
Labels
area/build Build system (autotools and cmake). area/collectors Everything related to data collection area/daemon area/database area/docs area/exporting area/packaging Packaging and operating systems support area/streaming area/web
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for other TLS/SSL libraries than OpenSSL
4 participants
@thiagoftsm @vlvkobal @joelhans @ilyam8