Skip to content

Comments

Switched from libressl to openssl#8218

Merged
alexey-milovidov merged 28 commits intomasterfrom
libressl-to-openssl
Dec 15, 2019
Merged

Switched from libressl to openssl#8218
alexey-milovidov merged 28 commits intomasterfrom
libressl-to-openssl

Conversation

@alexey-milovidov
Copy link
Member

@alexey-milovidov alexey-milovidov commented Dec 14, 2019

Changelog category (leave one):

  • Build/Testing/Packaging Improvement

Changelog entry (up to few sentences, required except for Non-significant/Documentation categories):
Switched from libressl to openssl. ClickHouse should support TLS 1.3 and SNI after this change. This fixes #8171.

@alexey-milovidov
Copy link
Member Author

alexey-milovidov commented Dec 14, 2019

Still have some troubles both with old and new version:

libressl:

~/ClickHouse/build_gcc9$ /usr/bin/clickhouse local --query="SELECT * FROM url('https://danluu.com/', TSV, 's String')"
SSL Exception: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

openssl:

~/ClickHouse/build_gcc9$ dbms/programs/clickhouse local --query="SELECT * FROM url('https://danluu.com/', TSV, 's String')"
SSL Exception: error:14000410:SSL routines::sslv3 alert handshake failure

@alexey-milovidov alexey-milovidov added the pr-build Pull request with build/testing/packaging improvement label Dec 14, 2019
@alexey-milovidov
Copy link
Member Author

alexey-milovidov commented Dec 15, 2019

Now OpenSSL works with AArch64 build:

milovidov@example:~/ClickHouse/build_output_folder$ docker run --network=host --rm -it -v/home/milovidov/ClickHouse/build_output_folder:/build multiarch/ubuntu-core:arm64-bionic /bin/bash
root@example:/# /build/clickhouse local --query "SELECT * FROM url('https://ya.ru/', TSV, 'x String');"

WARNING: Certificate verification failed
----------------------------------------
Issuer Name:  /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
Subject Name: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA

The certificate yielded the error: unable to get local issuer certificate

The error occurred in the certificate chain at position 2
Accept the certificate (y,n)? y
<!DOCTYPE html><html ...

@alexey-milovidov alexey-milovidov merged commit 5269216 into master Dec 15, 2019
@alexey-milovidov
Copy link
Member Author

alexey-milovidov commented Dec 16, 2019

ASM version of SHA256 is not compatible with query profiler (unwinder):

Thread 82 "ParalInputsProc" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffe0eb7c700 (LWP 984386)]
libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::evaluateExpression (expression=0, addressSpace=..., registers=..., initialStackValue=initialStackValue@entry=0) at ../contrib/libunwind/src/DwarfInstructions.hpp:275
275       pint_t length = (pint_t)addressSpace.getULEB128(p, expressionEnd);
(gdb) bt
#0  libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::evaluateExpression (expression=0, addressSpace=..., registers=..., initialStackValue=initialStackValue@entry=0) at ../contrib/libunwind/src/DwarfInstructions.hpp:275
#1  0x000000000f34d800 in libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::getCFA (registers=..., prolog=..., addressSpace=...) at ../contrib/libunwind/src/DwarfInstructions.hpp:65
#2  libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::stepWithDwarf (addressSpace=..., pc=248681801, fdeStart=fdeStart@entry=140906008, registers=...) at ../contrib/libunwind/src/DwarfInstructions.hpp:170
#3  0x000000000f345766 in libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::stepWithDwarfFDE (this=0x7ffe0eb75700) at ../contrib/libunwind/src/Registers.hpp:343
#4  libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::step (this=0x7ffe0eb75700) at ../contrib/libunwind/src/UnwindCursor.hpp:1987
#5  libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::step (this=0x7ffe0eb75700) at ../contrib/libunwind/src/UnwindCursor.hpp:1975
#6  __unw_step (cursor=0x7ffe0eb75700) at ../contrib/libunwind/src/libunwind.cpp:161
#7  0x000000000f345904 in unw_backtrace (buffer=buffer@entry=0x7ffe0eb75900, size=size@entry=32) at ../contrib/libunwind/src/libunwind.cpp:297
#8  0x0000000008b2a8f0 in StackTrace::tryCapture (this=0x7ffe0eb758f0) at /usr/local/include/c++/9.1.0/array:234
#9  StackTrace::StackTrace (this=0x7ffe0eb758f0, signal_context=...) at ../dbms/src/Common/StackTrace.cpp:196
#10 0x0000000008b3f5c5 in DB::(anonymous namespace)::writeTraceInfo (timer_type=<optimized out>, info=<optimized out>, context=0x7ffe0eb76300) at ../dbms/src/Common/QueryProfiler.cpp:76
#11 <signal handler called>
#12 sha256_block_data_order_ssse3 () at contrib/openssl/crypto/sha/sha256-x86_64.s:1988
#13 0x000000000ec79e70 in SHA256_Final (
    md=0x7ffdfa6b0dd0 "\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024\232\373\364șo\271$'\256A\344d\233\223L\244\225\231\033xR\270U\343\260\304B\230\374\034\024"..., c=0x7ffe0eb769a0) at ../contrib/openssl/include/crypto/md32_common.h:215
#14 0x0000000008f7ad74 in DB::FunctionStringHashFixedString<DB::SHA256Impl>::executeImpl(DB::Block&, std::vector<unsigned long, std::allocator<unsigned long> > const&, unsigned long, unsigned long) ()
#15 0x0000000008d450b3 in DB::ExecutableFunctionAdaptor::execute(DB::Block&, std::vector<unsigned long, std::allocator<unsigned long> > const&, unsigned long, unsigned long, bool) ()
#16 0x000000000c34102e in DB::ExpressionAction::execute (this=this@entry=0x7ffe25fa7040, block=..., dry_run=dry_run@entry=false) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#17 0x000000000c3425b5 in DB::ExpressionActions::execute (this=0x7ffe25fb5010, block=..., dry_run=dry_run@entry=false) at ../dbms/src/Interpreters/ExpressionActions.cpp:760
#18 0x000000000c4f9770 in DB::FilterBlockInputStream::readImpl (this=0x7ffe25f94210) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#19 0x000000000c1939cf in DB::IBlockInputStream::read (this=0x7ffe25f94210) at ../dbms/src/DataStreams/IBlockInputStream.cpp:61
#20 0x000000000c4fbf77 in DB::ExpressionBlockInputStream::readImpl (this=0x7ffe25ff2210) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#21 0x000000000c1939cf in DB::IBlockInputStream::read (this=0x7ffe25ff2210) at ../dbms/src/DataStreams/IBlockInputStream.cpp:61
#22 0x000000000c55130e in DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::loop (thread_num=<optimized out>, this=<optimized out>) at /usr/local/include/c++/9.1.0/bits/shared_ptr_base.h:1020
#23 DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread (this=0x7ffe25ff4680, thread_group=..., thread_num=12) at ../dbms/src/DataStreams/ParallelInputsProcessor.h:208
#24 0x000000000c551d5b in std::__invoke_impl<void, void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>* const&, std::shared_ptr<DB::ThreadGroupStatus> const&, unsigned long const&> (__t=@0x7ffe0b400038: 0x7ffe25ff4680, __f=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/ext/atomicity.h:96
#25 std::__invoke<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>* const&, std::shared_ptr<DB::ThreadGroupStatus> const&, unsigned long const&> (__fn=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/bits/invoke.h:95
#26 std::__apply_impl<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), std::tuple<DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long> const&, 0ul, 1ul, 2ul> (__t=..., __f=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/tuple:1684
#27 std::apply<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::* const&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), std::tuple<DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long> const&> (__t=..., __f=
    @0x7ffe0b400010: (void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler> * const, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)) 0xc550fa0 <DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::thread(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long)>) at /usr/local/include/c++/9.1.0/tuple:1694
#28 ThreadFromGlobalPool::ThreadFromGlobalPool<void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*, std::shared_ptr<DB::ThreadGroupStatus>, unsigned long&>(void (DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>::*&&)(std::shared_ptr<DB::ThreadGroupStatus>, unsigned long), DB::ParallelInputsProcessor<DB::ParallelAggregatingBlockInputStream::Handler>*&&, std::shared_ptr<DB::ThreadGroupStatus>&&, unsigned long&)::{lambda()#1}::operator()() const (this=0x7ffe0b400000) at ../dbms/src/Common/ThreadPool.h:156
#29 0x0000000008b4db65 in std::function<void ()>::operator()() const (this=0x7ffe0eb775e0) at /usr/local/include/c++/9.1.0/bits/std_function.h:685
#30 ThreadPoolImpl<std::thread>::worker (this=0xf6d0840 <GlobalThreadPool::instance()::ret>, thread_it=...) at ../dbms/src/Common/ThreadPool.cpp:221
#31 0x000000000f316550 in execute_native_thread_routine () at ../../../../../gcc-9.1.0/libstdc++-v3/src/c++11/thread.cc:80
#32 0x00007ffff79b56db in start_thread (arg=0x7ffe0eb7c700) at pthread_create.c:463
#33 0x00007ffff72d288f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

@alexey-milovidov alexey-milovidov mentioned this pull request Dec 16, 2019
Closed
@alexey-milovidov
Copy link
Member Author

alexey-milovidov commented Dec 16, 2019

The issue is caused by wrong "CFA expression".
Something around line 809 in crypto/sha/asm/sha512-x86_64.pl.

I have disabled ASM version of SHA256.
Alternative solution is to remove all .cfi_* directives from assembly source code (btw, libressl doesn't have them at all). The cost is that stack traces will end on that function.

@alexey-milovidov alexey-milovidov mentioned this pull request Dec 17, 2019
Merged
@filimonov filimonov mentioned this pull request Jan 29, 2020
Closed
@filimonov
Copy link
Contributor

filimonov commented Jan 29, 2020
edited
Loading

TLSv1.3

SNI

  • opennssl 0.9.8f (released 11 Oct 2007) – not compiled in by default, can be compiled in with config option ‘–enable-tlsext’.
  • opennssl 0.9.8j (released 07 Jan 2009) – compiled in by default

[source]

@bugcrazy bugcrazy mentioned this pull request Sep 9, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

pr-build Pull request with build/testing/packaging improvement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TLS 1.3 and LibreSSL

2 participants

@alexey-milovidov @filimonov