[MDEV-21835] Implement option 'system-wolfssl' in build flag WITH_SSL - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Won't Do
Affects Version/s: 10.5.1
Fix Version/s: N/A
Component/s: SSL
Labels:
None

Description

Currently the build flag WITH_SSL can be used to either use the system OpenSSL library, a custom OpenSSL from an alternative path or the embedded WolfSSL. There is currently no option to use the system WolfSSL.

In e.g. Debian WolfSSL has been packaged and available in the distro since 2015.

Please implement option WITH_SSL=system-wolfssl

I already did a stub at https://salsa.debian.org/mariadb-team/mariadb-10.4/-/commit/d540460bd807b47dba031744e630a450d4c39951 but I don't have enough skills (or time) to figure out all details and how to finish it, so I wish somebody else would do this.

NOTE! If it turns out that WolfSSL in Debian somehow is not suitable for MariaDB builds, please file bugs for the package in Debian. The maintainer seems very responsive and happy to modify the package so that it's consumers are happy.

PS. Nowadays the option should be WITH_TLS but that is another issue.

Attachments

Issue Links

relates to

MDEV-26758 Make libmariadb run under MSAN

Closed

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2020-06-08 20:11

This can be done in 10.5

Sergei Golubchik added a comment - 2020-06-08 20:11 This can be done in 10.5

Otto Kekäläinen added a comment - 2020-09-29 21:02

I tried simply to build with this:

-           -DWITH_SSL=bundled \

+           -DWITH_SSL=/usr/include/wolfssl \

And another try with:

-           -DWITH_SSL=bundled \

+           -DWITH_SSL=/usr/include/wolfssl/openssl \

But both cases fail with:

CMake Error at cmake/ssl.cmake:161 (MESSAGE):

  Wrong option for WITH_SSL.  Valid values are: bundled (use wolfssl), yes

  (prefer os library if present, otherwise use bundled), system (use os

  library), </path/to/custom/installation>

Call Stack (most recent call first):

  CMakeLists.txt:387 (MYSQL_CHECK_SSL)

I tried to read in cmake/ssl.cmake what exactly it expects to find at a custom path to happily use it, but did not understand the CMake code well enough to figure it out.

Otto Kekäläinen added a comment - 2020-09-29 21:02 I tried simply to build with this: - -DWITH_SSL=bundled \ + -DWITH_SSL=/usr/include/wolfssl \ And another try with: - -DWITH_SSL=bundled \ + -DWITH_SSL=/usr/include/wolfssl/openssl \ But both cases fail with: CMake Error at cmake/ssl.cmake:161 (MESSAGE): Wrong option for WITH_SSL. Valid values are: bundled (use wolfssl), yes (prefer os library if present, otherwise use bundled), system (use os library), </path/to/custom/installation> Call Stack (most recent call first): CMakeLists.txt:387 (MYSQL_CHECK_SSL) I tried to read in cmake/ssl.cmake what exactly it expects to find at a custom path to happily use it, but did not understand the CMake code well enough to figure it out.

Otto Kekäläinen added a comment - 2020-09-30 17:05

Any comments here robertbindar? This has been assigned to you for a quite a long time already.

Downstream Debian folks noticed WolfSSL is embedded and dislike it (for a valid reason), see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971367

Otto Kekäläinen added a comment - 2020-09-30 17:05 Any comments here robertbindar ? This has been assigned to you for a quite a long time already. Downstream Debian folks noticed WolfSSL is embedded and dislike it (for a valid reason), see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971367

Daniel Black added a comment - 2020-10-07 04:39

I understand why distros dislike bundled packages.

Wolfssl doesn't offer a stable ABI. If Debian bumped the version due to a security vulnerability there's no assurance to believe the same ABI will be generated.

https://www.wolfssl.com/docs/frequently-asked-questions-faq/#How_do_I_manage_the_build_configuration_for_wolfSSL?

I haven't looked at how similar the options.h of wolfssl in Debian are similar to what's used by MariaDB.

Daniel Black added a comment - 2020-10-07 04:39 I understand why distros dislike bundled packages. Wolfssl doesn't offer a stable ABI. If Debian bumped the version due to a security vulnerability there's no assurance to believe the same ABI will be generated. https://www.wolfssl.com/docs/frequently-asked-questions-faq/#How_do_I_manage_the_build_configuration_for_wolfSSL? I haven't looked at how similar the options.h of wolfssl in Debian are similar to what's used by MariaDB.

Otto Kekäläinen added a comment - 2020-10-27 08:26

Side note: Downstream in Debian the release team finally gave us permission to use OpenSSL and thus WolfSSL (ssl=bundled) was now dropped for MariaDB 10.5 in Debian. Ref: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf

Thus switching importance to 'minor' now.

Otto Kekäläinen added a comment - 2020-10-27 08:26 Side note: Downstream in Debian the release team finally gave us permission to use OpenSSL and thus WolfSSL (ssl=bundled) was now dropped for MariaDB 10.5 in Debian. Ref: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf Thus switching importance to 'minor' now.

Daniel Black added a comment - 2024-03-08 04:30

Closing for now. Describe a reason for the requirement if reopening.

Daniel Black added a comment - 2024-03-08 04:30 Closing for now. Describe a reason for the requirement if reopening.

People

Assignee:: Unassigned

Reporter:: Otto Kekäläinen

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2020-02-27 18:49

Updated:: 2024-03-08 04:30

Resolved:: 2024-03-08 04:30

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server