This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 6ab3f2493 Fix compilation if using OpenSSL < 1.1.1
6ab3f2493 is described below
commit 6ab3f249351a4ee5d73eb8bda3585c4dcd85d070
Author: Abhishek Chennaka <[email protected]>
AuthorDate: Wed Aug 13 22:25:41 2025 -0700
Fix compilation if using OpenSSL < 1.1.1
This change adds a version guard around the call to
SSL_CTX_set_ciphersuites() so it only compiles when
building with OpenSSL versions that support it. This
addresses a build failure caused by commit f6fbcde on
systems using OpenSSL 1.0.x.
The --webserver_tls_min_protocol flag's validator is
also updated to check for the set TLS version against
the available version.
The build has been tested successfully in CentOS 7.9
machine.
This is a followup to f6fbcde.
Change-Id: I7410a1f08e700efd8a917be8c59d54a497023cef
Reviewed-on: http://gerrit.cloudera.org:8080/23295
Tested-by: Abhishek Chennaka <[email protected]>
Reviewed-by: Alexey Serbin <[email protected]>
---
src/kudu/server/webserver_options.cc | 35 ++++++++++++++++++++----
thirdparty/download-thirdparty.sh | 5 ++--
thirdparty/patches/squeasel-tls-openssl10x.patch | 32 ++++++++++++++++++++++
3 files changed, 65 insertions(+), 7 deletions(-)
diff --git a/src/kudu/server/webserver_options.cc
b/src/kudu/server/webserver_options.cc
index 92cdcc035..16dfc8d50 100644
--- a/src/kudu/server/webserver_options.cc
+++ b/src/kudu/server/webserver_options.cc
@@ -23,6 +23,7 @@
#include <gflags/gflags.h>
#include <glog/logging.h>
+#include <openssl/crypto.h>
#include "kudu/gutil/macros.h"
#include "kudu/gutil/strings/substitute.h"
@@ -125,7 +126,8 @@ TAG_FLAG(webserver_tls_ciphersuites, advanced);
DEFINE_string(webserver_tls_min_protocol,
kudu::security::SecurityDefaults::kDefaultTlsMinVersion,
"The minimum protocol version to allow when for webserver HTTPS "
- "connections. May be one of 'TLSv1', 'TLSv1.1', 'TLSv1.2', or
'TLSv1.3'.");
+ "connections. May be one of 'TLSv1', 'TLSv1.1', 'TLSv1.2', or
'TLSv1.3' "
+ "(TLSv1.3 is only available when compiled with OpenSSL 1.1.1 or
later).");
TAG_FLAG(webserver_tls_min_protocol, advanced);
DEFINE_bool(webserver_require_spnego, false,
@@ -156,10 +158,33 @@ bool ValidateTlsFlags() {
GROUP_FLAG_VALIDATOR(webserver_tls_options, ValidateTlsFlags);
bool ValidateTlsMinVersion(const char* /* flagname */, const string& ver) {
- return kudu::iequals(ver, "TLSv1") ||
- kudu::iequals(ver, "TLSv1.1") ||
- kudu::iequals(ver, "TLSv1.2") ||
- kudu::iequals(ver, "TLSv1.3");
+ // TLSv1.0 is available in OpenSSL 0.9.8+.
+ // TLSv1.1 is available in OpenSSL 1.0.1+ (some distros backported earlier).
+ if (kudu::iequals(ver, "TLSv1") || kudu::iequals(ver, "TLSv1.1")) {
+ return true;
+ }
+ // TLSv1.2 is supported in OpenSSL 1.0.1.
+ if (kudu::iequals(ver, "TLSv1.2")) {
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L // >= 1.0.1
+ return true;
+#else
+ LOG(ERROR) << "TLSv1.2 requested, but available OpenSSL version "
+ "is too old (need >= 1.0.1)";
+ return false;
+#endif
+ }
+ // TLSv1.3 is supported in OpenSSL 1.1.1+
+ if (kudu::iequals(ver, "TLSv1.3")) {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L // >= 1.1.1
+ return true;
+#else
+ LOG(ERROR) << "TLSv1.3 requested, but available OpenSSL version "
+ "is too old (need >= 1.1.1)";
+ return false;
+#endif
+ }
+ LOG(ERROR) << "Unrecognized TLS version string: " << ver;
+ return false;
}
DEFINE_validator(webserver_tls_min_protocol, &ValidateTlsMinVersion);
diff --git a/thirdparty/download-thirdparty.sh
b/thirdparty/download-thirdparty.sh
index 994be1f10..4fc951bee 100755
--- a/thirdparty/download-thirdparty.sh
+++ b/thirdparty/download-thirdparty.sh
@@ -278,14 +278,15 @@ fetch_and_patch \
"patch -p1 < $TP_DIR/patches/rapidjson-document-assignment-operator-00.patch"
\
"patch -p1 < $TP_DIR/patches/rapidjson-document-assignment-operator-01.patch"
-SQUEASEL_PATCHLEVEL=3
+SQUEASEL_PATCHLEVEL=4
fetch_and_patch \
squeasel-${SQUEASEL_VERSION}.tar.gz \
$SQUEASEL_SOURCE \
$SQUEASEL_PATCHLEVEL \
"patch -p1 < $TP_DIR/patches/squeasel-handle-openssl-errors.patch" \
"patch -p1 < $TP_DIR/patches/squeasel-tls-min-version.patch" \
- "patch -p1 <
$TP_DIR/patches/squeasel-support-get-bound-addresses-for-ipv6.patch"
+ "patch -p1 <
$TP_DIR/patches/squeasel-support-get-bound-addresses-for-ipv6.patch" \
+ "patch -p1 < $TP_DIR/patches/squeasel-tls-openssl10x.patch"
MUSTACHE_PATCHLEVEL=0
fetch_and_patch \
diff --git a/thirdparty/patches/squeasel-tls-openssl10x.patch
b/thirdparty/patches/squeasel-tls-openssl10x.patch
new file mode 100644
index 000000000..9d2a31e5e
--- /dev/null
+++ b/thirdparty/patches/squeasel-tls-openssl10x.patch
@@ -0,0 +1,32 @@
+From 698e5c1d3c82d52b41890753314d7c4af22050ae Mon Sep 17 00:00:00 2001
+From: Abhishek Chennaka <[email protected]>
+Date: Wed, 20 Aug 2025 14:05:23 -0700
+Subject: [PATCH] Exclude SSL_CTX_set_ciphersuites call for OpenSSL 1.0.x
+
+---
+ squeasel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/squeasel.c b/squeasel.c
+index c38c52e..fdd6375 100644
+--- a/squeasel.c
++++ b/squeasel.c
+@@ -3983,6 +3983,7 @@ static int set_ssl_option(struct sq_context *ctx) {
+ // non-empty list of default TLSv1.3 ciphers when given an empty list of
+ // TLSv1.2 ciphers, and SSL_CTX_set_ciphersuites() would allow an empty
set
+ // of TLSv1.3 ciphers in a subsequent call.
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ if (ctx->config[SSL_CIPHERSUITES] != NULL) {
+ if (SSL_CTX_set_ciphersuites(ctx->ssl_ctx,
ctx->config[SSL_CIPHERSUITES]) != 1) {
+ cry(fc(ctx), "SSL_CTX_set_ciphersuites: error setting ciphers (%s):
%s",
+@@ -3990,6 +3991,7 @@ static int set_ssl_option(struct sq_context *ctx) {
+ return 0;
+ }
+ }
++#endif
+ if (ctx->config[SSL_CIPHERS] != NULL) {
+ if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, ctx->config[SSL_CIPHERS]) !=
1) {
+ cry(fc(ctx), "SSL_CTX_set_cipher_list: error setting ciphers (%s):
%s",
+--
+1.8.3.1
+
