[MDEV-21835] Implement option 'system-wolfssl' in build flag WITH_SSL Created: 2020-02-27  Updated: 2022-07-08

Status: Open
Project: MariaDB Server
Component/s: SSL
Affects Version/s: 10.5.1
Fix Version/s: 10.5

Type: Bug Priority: Minor
Reporter: Otto Kekäläinen Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-26758 Make libmariadb run under MSAN Closed

 Description   

Currently the build flag WITH_SSL can be used to either use the system OpenSSL library, a custom OpenSSL from an alternative path or the embedded WolfSSL. There is currently no option to use the system WolfSSL.

In e.g. Debian WolfSSL has been packaged and available in the distro since 2015.

Please implement option WITH_SSL=system-wolfssl

I already did a stub at https://salsa.debian.org/mariadb-team/mariadb-10.4/-/commit/d540460bd807b47dba031744e630a450d4c39951 but I don't have enough skills (or time) to figure out all details and how to finish it, so I wish somebody else would do this.

NOTE! If it turns out that WolfSSL in Debian somehow is not suitable for MariaDB builds, please file bugs for the package in Debian. The maintainer seems very responsive and happy to modify the package so that it's consumers are happy.

PS. Nowadays the option should be WITH_TLS but that is another issue.

 Comments   
Comment by Sergei Golubchik [ 2020-06-08 ]

This can be done in 10.5

Comment by Otto Kekäläinen [ 2020-09-29 ]

I tried simply to build with this:

-           -DWITH_SSL=bundled \
 
+           -DWITH_SSL=/usr/include/wolfssl \

And another try with:

-           -DWITH_SSL=bundled \
 
+           -DWITH_SSL=/usr/include/wolfssl/openssl \

But both cases fail with:

CMake Error at cmake/ssl.cmake:161 (MESSAGE):
 
  Wrong option for WITH_SSL.  Valid values are: bundled (use wolfssl), yes
 
  (prefer os library if present, otherwise use bundled), system (use os
 
  library), </path/to/custom/installation>
 
Call Stack (most recent call first):
 
  CMakeLists.txt:387 (MYSQL_CHECK_SSL)

I tried to read in cmake/ssl.cmake what exactly it expects to find at a custom path to happily use it, but did not understand the CMake code well enough to figure it out.

Comment by Otto Kekäläinen [ 2020-09-30 ]

Any comments here robertbindar? This has been assigned to you for a quite a long time already.

Downstream Debian folks noticed WolfSSL is embedded and dislike it (for a valid reason), see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971367

Comment by Daniel Black [ 2020-10-07 ]

I understand why distros dislike bundled packages.

Wolfssl doesn't offer a stable ABI. If Debian bumped the version due to a security vulnerability there's no assurance to believe the same ABI will be generated.

https://www.wolfssl.com/docs/frequently-asked-questions-faq/#How_do_I_manage_the_build_configuration_for_wolfSSL?

I haven't looked at how similar the options.h of wolfssl in Debian are similar to what's used by MariaDB.

Comment by Otto Kekäläinen [ 2020-10-27 ]

Side note: Downstream in Debian the release team finally gave us permission to use OpenSSL and thus WolfSSL (ssl=bundled) was now dropped for MariaDB 10.5 in Debian. Ref: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf

Thus switching importance to 'minor' now.

Generated at Thu Feb 08 09:10:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.