Skip to content

Port to BoringSSL#16043

Closed
alexey-milovidov wants to merge 28 commits intomasterfrom
boringssl
Closed

Port to BoringSSL#16043
alexey-milovidov wants to merge 28 commits intomasterfrom
boringssl

Conversation

@alexey-milovidov
Copy link
Copy Markdown
Member

@alexey-milovidov alexey-milovidov commented Oct 15, 2020
edited
Loading

Changelog category (leave one):

  • Build/Testing/Packaging Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Change OpenSSL to BoringSSL. It allows to avoid issues with sanitizers. This fixes #12490. This fixes #17502. This fixes #12952.

@robot-clickhouse robot-clickhouse added pr-build Pull request with build/testing/packaging improvement submodule changed At least one submodule changed in this PR. labels Oct 15, 2020
@alexey-milovidov
Copy link
Copy Markdown
Member Author

alexey-milovidov commented Oct 15, 2020

Some settings about self-signed sertificates are not applied:

 Oct 16,2020 0:33:31             ⟥  When I login as user2 and execute query
 Oct 16,2020 0:33:31               ⟥  By executing command
                                        echo -e "SELECT 1" | clickhouse client -n --user "user2" --password "user2"
                 3ms                    [clickhouse1] bash# echo -e "SELECT 1" | clickhouse client -n --user "user2" --password "user2"
                19ms                    [clickhouse1] Code: 532. DB::Exception: Received from localhost:9000. DB::Exception: Connect error: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED (self signed certificate in certificate chain).

@filimonov
Copy link
Copy Markdown
Contributor

filimonov commented Oct 16, 2020

BTW

Fetching submodule contrib/grpc/third_party/boringssl  ...

I think we may need to adjust that to avoid having 2 copies.

@alexey-milovidov
Copy link
Copy Markdown
Member Author

alexey-milovidov commented Oct 21, 2020

@filimonov

I think we may need to adjust that to avoid having 2 copies.

We don't use GRPC's BoringSSL, this recursive submodule can be safely removed.

@alexey-milovidov
Copy link
Copy Markdown
Member Author

alexey-milovidov commented Oct 21, 2020
edited
Loading

Self-signed certificates work Ok for clickhouse-client if it's configured properly:

$ cat ~/.clickhouse-client/config.xml
<config>
    <openSSL>
    <client>
        <loadDefaultCAFile>true</loadDefaultCAFile>
        <caConfig>/usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt</caConfig>
        <cacheSessions>true</cacheSessions>
        <disableProtocols>sslv2,sslv3</disableProtocols>
        <preferServerCiphers>true</preferServerCiphers>
        <invalidCertificateHandler>
            <name>AcceptCertificateHandler</name>
        </invalidCertificateHandler>
    </client>
    </openSSL>
</config>

@alexey-milovidov
Copy link
Copy Markdown
Member Author

alexey-milovidov commented Oct 21, 2020

The patch #8238 has to be reapplied, there are still issues with BoringSSL and asynchronous unwinding with LLVM's libunwind.

@alexey-milovidov alexey-milovidov mentioned this pull request Nov 30, 2020
Merged
This was referenced Dec 16, 2020
Merged
Merged
@alexey-milovidov alexey-milovidov mentioned this pull request Dec 25, 2020
Closed
@msestak msestak mentioned this pull request Sep 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

pr-build Pull request with build/testing/packaging improvement submodule changed At least one submodule changed in this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Very rare segfault in OpenSSL ThreadSanitizer data race ThreadSanitizer: data race test_dictionaries_mysql integration test

4 participants

@alexey-milovidov @filimonov @alesapin @robot-clickhouse