C++ client: build with OpenSSL by default (1.x) and bundle the runtime libs#17973
C++ client: build with OpenSSL by default (1.x) and bundle the runtime libs#17973hongzhi-gao wants to merge 3 commits into
Conversation
- Default WITH_SSL / with.ssl to ON (CMake + Maven), so client-cpp and the CI packaging/verify jobs build with SSL by default. - Bundle the resolved OpenSSL shared libraries into the package lib/ (new InstallOpenSSLRuntime.cmake) so the SDK is self-contained. - Prefer system OpenSSL (any version); pin the from-source fallback to OpenSSL 1.1.1w (1.x), no longer 3.x, and use ./config for 1.1.x. - Encode WITH_SSL in the Thrift build stamp and forward OPENSSL_ROOT_DIR so TSSLSocket links the same OpenSSL we bundle. - CI: install openssl-devel in the manylinux build; point macOS at the keg-only Homebrew OpenSSL. - Update README/dependency docs accordingly.
Thrift 0.21's TSSLSocket.cpp does not compile against OpenSSL 3.x (SSLv3_method/TLSv1_method/ASN1_STRING_data/non-const X509_NAME* were removed), which broke the Windows/macOS packaging CI once SSL was on by default. - FetchOpenSSL: accept a system OpenSSL only when it is 1.x; ignore 3.x and build OpenSSL 1.1.1w from source instead. Rename the fallback version variable to OPENSSL_FALLBACK_VERSION to avoid colliding with find_package's OPENSSL_VERSION output. Windows error now asks for 1.1.1. - CI: pin Windows to 'choco install openssl --version=1.1.1.2100'; drop Homebrew openssl on macOS (only ships 3.x; openssl@1.1 is gone) so the build compiles 1.1.1w from source. Linux manylinux keeps system 1.1.1. - Docs updated for the 1.x-only policy. Verified locally on Windows against a clean OpenSSL 1.1.1 root: find_package accepts 1.1.1, iotdb_session.dll links and imports libssl-1_1-x64.dll/libcrypto-1_1-x64.dll, both bundled into lib/.
On CI runners the image ships OpenSSL 3.x and 'choco install openssl 1.1.1.2100' deploys into the same C:\Program Files\OpenSSL, leaving a mixed install: 1.1.1 headers + top-level lib/ but 3.x lib/VC/ import libs. FindOpenSSL prefers the lib/VC/<arch>/<MD|MT>/ import lib, which binds to the 3.x DLL, so the link fails to resolve the 1.1-only symbol SSL_get_peer_certificate that Thrift's TSSLSocket.obj references. After accepting a 1.x OpenSSL on Windows, pin OpenSSL::SSL/Crypto's IMPORTED_LOCATION/IMPORTED_IMPLIB (all configs) to the top-level lib/libssl.lib and lib/libcrypto.lib, which match the bundled 1.1 runtime DLLs. Verified locally on Windows against an equivalent mixed install: iotdb_session.dll links and imports libssl-1_1-x64.dll/ libcrypto-1_1-x64.dll, both bundled into lib/.
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
|
English version of my review above: I think this PR should not be merged yet. The main blocker is that the current fallback/packaging path distributes OpenSSL 1.1.1 code in the C++ SDK binary/package.
Also, OpenSSL 1.1.1 reached EOL on 2023-09-11 and no longer receives public security fixes: https://openssl-corporation.org/post/2023-09-11-eol-111/. Making it the default SSL runtime/fallback should be an explicit project-level decision. |
2 participants
Description:
Default WITH_SSL/with.ssl to ON so the C++ client and CI build with SSL.
Bundle the linked OpenSSL shared libs into the package lib/ so the SDK is self-contained.
Pin OpenSSL to 1.x: Thrift 0.21 doesn't compile against 3.x. find_package accepts only 1.x (ignores 3.x); otherwise builds 1.1.1w from source. CI installs OpenSSL 1.1.1 accordingly.
On Windows, pin the OpenSSL import libs to the top-level lib/libssl.lib/libcrypto.lib to avoid a 3.x/1.1 mixed-install link failure (SSL_get_peer_certificate).