Details
-
Task
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
None
Description
OpenSSL 3.0 is not yet released as GA, but we already experiment with the builds in Fedora (Copr repository available: https://copr.fedorainfracloud.org/coprs/saprasad/openssl-3.0/) or in CentOS Stream 9 (https://kojihub.stream.centos.org/koji/buildinfo?buildID=7571).
There are some documented changes in OpenSSL 3.0: https://wiki.openssl.org/index.php/OpenSSL_3.0 but there are also some changes that should not be visible. However, since other SW depends on some internals, the changes actually affect the compatibility more than documented.
MariaDB 10.5.9 (expecting 10.6.x behaves the same) fails to build with this upcoming OpenSSL 3.0.
The problem is mainly with md5, sha and crypto parts.
A partial fix is proposed here:
https://gitlab.com/redhat/centos-stream/rpms/mariadb/-/merge_requests/4
but some tests (related to encrypting) fail even with this patch, so it is definitely not complete.
MySQL report is https://bugs.mysql.com/bug.php?id=103818
Attachments
Issue Links
- blocks
-
MDEV-25949 Add support for OpenSSL 3.0 in Galera
-
- Closed
-
- causes
-
-
- Closed
-
-
-
- Closed
-
- includes
-
-
- In Review
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
-
-
- Closed
-
- is part of
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
I think preview-10.8-MDEV-25785-openssl3.0 as of 7cd965af can and should be pushed into the main 10.8 and released with 10.8.1. There are some limitations and can be a lot of unknowns, depending on the variety of environments and systems, which is why we need the community feedback.
Current status:
- Linux: The server and most plugins build with basic build configurations (RelWithDebInfo, Debug, mysql_release) on a variety of Linux versions. Checked: Ubuntu 18.04/20.04, Debian 9/10/11, SLES 12/15, RHEL 7/8, x86_64/aarch64; Ubuntu 20.04 ppc64le; OpenSSL 3.0.1, in-source build and build + local installation in custom location.
- Limitations:
- Columnstore does not build,
MCOL-4964to track; - A user should be careful with cmake options to make sure the custom OpenSSL 3 does not mix up with the default OpenSSL installation of a different version,
MDEV-27540to track (not directly related to this task)
- Columnstore does not build,
- Limitations:
- On Fedora Rawhide, where OpenSSL 3.0.0 is installed by default, the packages can be built and installed with it
- On Windows, the server can be built and run with both OpenSSL 3.0.0 installed from slpro and with OpenSSL 3.0.1 built locally
- Limitations:
- For a local OpenSSL build, installation must be performed (nmake install). With an in-source build, MariaDB server will compile/link, but will issue runtime errors (probably has always been so, and various README notes also suggest installation).
- Limitations:
- CI: There is a Ubuntu 20.04-based buildbot builder which currently builds the server with a local OpenSSL 3.0.1 installation, and there will soon be a Rawhide-based builder which will run RPM builds with the system-wide OpenSSL 3.
Other notes:
- There are a few binaries/plugins which still link with OpenSSL 1.x, whether legitimately or not, it is being looked into (
MDEV-27542) - I didn't manage to build deb packages with OpenSSL 3.0 yet, there are some configuration issues to work around. It shouldn't be important for initial adoption though.
elenst Codership reported earlier that Galera library will build with OpenSSL 3.0 but I have not tested (MDEV-25949 ).
Galera library is obviously out of this server task, it was also stated in advance in this comment.
I did run .*ssl.* MTR tests as a part of the Linux exercise, including tests in the galera suite with an existing galera-4 library, on a server linked with openssl3, they passed. This is as much as I can say about the current Galera status.
Thanks Vladislav very much for your info!