Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch from MbedTLS to OpenSSL #56708

Open
wants to merge 22 commits into
base: master
Choose a base branch
from

Conversation

eschnett
Copy link
Contributor

@eschnett eschnett commented Nov 28, 2024

Based on @fxcoudert's openssl branch and pull request at #53891.

  • diff re-applied to current Julia master (hence the new commit)
  • LibCURL, LibGit2, LibSSH2, OpenSSL updated to newest version
  • MbedTLS removed

@eschnett
Copy link
Contributor Author

eschnett commented Nov 28, 2024

Current to-do list:

  • Understand how NetworkOptions and OpenSSL cooperate regarding CA roots. Possibly remove all NetworkOptions stuff from the OpenSSL_jll stdlib.
  • NetworkOptions has some MbedTLS-specific code. This needs to be switched to OpenSSL.
  • I added some OpenSSL CA-root work-around into the test cases. That should probably be removed again.
  • Something is off with LibCURL. We need to decide what to do, at the moment likely just staying at an older version.

@giordano
Copy link
Contributor

Something is off with LibCURL. We need to decide what to do, at the moment likely just staying at an older version.

If you mean with libcurl v8.10+ JuliaLang/Downloads.jl#260, JuliaLang/Downloads.jl#260 (comment) should fix it. But there are still other failures: JuliaLang/Downloads.jl#261

@eschnett
Copy link
Contributor Author

eschnett commented Nov 29, 2024

This PR requires the two other PRs

Currently these other PRs are hardcoded in stdlib/NetworkOptions.version and Pkg.version. That also needs to be undone.

@eschnett
Copy link
Contributor Author

@giordano There is a likely-spurious test failure. Can you restart test x86_64-unknown-freebsd?

deps/checksums/clang Outdated Show resolved Hide resolved
deps/checksums/llvm Outdated Show resolved Hide resolved
deps/checksums/suitesparse Outdated Show resolved Hide resolved
deps/checksums/unwind Outdated Show resolved Hide resolved
deps/curl.mk Outdated Show resolved Hide resolved
@giordano giordano added building Build system, or building Julia or its dependencies external dependencies Involves LLVM, OpenBLAS, or other linked libraries stdlib Julia's standard library labels Nov 29, 2024
@giordano
Copy link
Contributor

giordano commented Dec 1, 2024

Ok, now we're back to the point where Julia's own CI passes, but trying to load PyCall wreaks havoc:

$ julia +pr56708 --project -q
julia> using PyCall

julia> py"""
       import urllib.request
       with urllib.request.urlopen('http://python.org/') as response:
          html = response.read()
       """
ERROR: PyError ($(Expr(:escape, :(ccall(#= /home/mose/.julia/packages/PyCall/1gn3u/src/pyeval.jl:38 =# @pysym(:PyEval_EvalCode), PyPtr, (PyPtr, PyPtr, PyPtr), o, globals, locals))))) <class 'urllib.error.URLE
rror'>
URLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))

This is where we were stuck with #53891.

@giordano
Copy link
Contributor

giordano commented Dec 1, 2024

Should PyCall/PythonCall do something like

    py"""
    import ssl
    def create_julia_https_context():
        return ssl.create_default_context(cafile=$(NetworkOptions.bundled_ca_roots()))

    ssl._create_default_https_context = create_julia_https_context
    """

as suggested by @mkitti at #53891 (comment)? That does seem to work for me:

$ julia +pr56708 --project -q
julia> using PyCall, NetworkOptions

julia> py"""
       import ssl
       def create_julia_https_context():
           return ssl.create_default_context(cafile=$(NetworkOptions.bundled_ca_roots()))
       ssl._create_default_https_context = create_julia_https_context
       import urllib.request
       with urllib.request.urlopen('http://python.org/') as response:
           html = response.read()
       """

julia> py"html"
"<!doctype html>\n<!--[if lt IE 7]>   <html class=\"no-js ie6 lt-ie7 lt-ie8 lt-ie9\">   <![endif]-->\n<!--[if IE 7]>      <html class=\"no-js ie7 lt-ie8 lt-ie9\">          <![endif]-->\n<!--[if IE 8]>      <html class=\"no-js ie8 lt-ie9\">                 <![endif]-->\n<!--[if gt IE " ⋯ 50648 bytes ⋯ "s/IE8-min.8af6e26c7a3b.js\" charset=\"utf-8\"></script>\n    \n    \n    <![endif]-->\n\n    <!--[if lte IE 8]>\n
    <script type=\"text/javascript\" src=\"/static/js/plugins/getComputedStyle-min.d41d8cd98f00.js\" charset=\"utf-8\"></script>\n    \n    \n    <![endif]-->\n\n    \n\n    \n    \n\n</body>\n</html>\n"

CC @cjdoris @stevengj we really need your input here, otherwise this PR will be stuck again for ages and we don't move on.

@KristofferC
Copy link
Member

Maybe asking for forgiveness is better than asking for permission here. As I understand it, this is quite important from a security standpoint so it if the ecosystem has to catch up for a while then so be it?

@DilumAluthge
Copy link
Member

Are PyCall/PythonCall the only places in the ecosystem that this PR breaks?

Could we run a PkgEval on this PR, to see if any other parts of the ecosystem are broken by this PR?

@giordano
Copy link
Contributor

giordano commented Dec 2, 2024

This is the summary of last time I looked at PkgEval: #53891 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder that before merging this PR the PRs to Pkg and NetworkOptions must be merged, and these files changed back to point to the original repo

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests on Pkg doesn't pass until this is merged so it is a bit tricky.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any tests that are run only on CI there, or we're good to have all tests passing on this PR (they were passing until yesterday or so)? We can do a coordinated merge of the three PRs, to reduce disruption.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is fine to merge here and then when master updates rerun CI on Pkg and merge it there (and then update the commit again). The activity in the Pkg repo is not super high nowadays.

The alternative is to write the tests so that they pass both here and on master but that might be a bit more effort than it is worth.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem of merging this PR first is that it'd make its merge commit not buildable from source if Erik's branch or fork are deleted.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And thus can possibly break git bisect in the future?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can merge it on Pkg with tests breaking if the manifest is the only test that matters. Or both manifests are checked in and the relevant one is renamed based on the version.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And thus can possibly break git bisect in the future?

Yeah, whenever someone needs to build a specific commit, git bisect is indeed my main concern.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know when is a good time to do so. (After doing so, many things will fail on this branch before these repos are updated. We should do so only shortly before merging.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For these files to be updated the respective changes to NetworkOptions and Pkg need to be merged first.

@giordano giordano added the needs pkgeval Tests for all registered packages should be run with this change label Dec 2, 2024
@mkitti
Copy link
Contributor

mkitti commented Dec 2, 2024

Can we package mbedTLS as an independent package for other packages which may still have a hard dependency on it?

@quinnj
Copy link
Member

quinnj commented Dec 2, 2024

Can we package mbedTLS as an independent package for other packages which may still have a hard dependency on it?

Separate from the existing mbedtls_jll and MbedTLS.jl packages that already exist?

@giordano
Copy link
Contributor

giordano commented Dec 2, 2024

@nanosoldier runtests()

@DilumAluthge
Copy link
Member

I think the backticks are mandatory.

@DilumAluthge
Copy link
Member

@nanosoldier runtests()

@nanosoldier
Copy link
Collaborator

The package evaluation job you requested has completed - possible new issues were detected.
The full report is available.

@eschnett
Copy link
Contributor Author

eschnett commented Dec 3, 2024

Some interesting failures: EasyCurl, JLLPrefixes.
Some expected/benign failures: SciMLTutorials (stores Manifest.toml in the repository, fails because MbedTLS_jll isn't there any more)

@eschnett
Copy link
Contributor Author

eschnett commented Dec 6, 2024

How do we proceed here?

@oscardssmith
Copy link
Member

pressing the merge button? :)

@eschnett
Copy link
Contributor Author

If you are worried about merging three PRs simultaneously: With semver, the technically correct path would be to declare compatibilities via version numbers (i.e. bumping the major version number of NetworkOptions.jl and Pkg.jl) and applying the patches there, and then merging this PR here.

@mkitti
Copy link
Contributor

mkitti commented Dec 10, 2024

How do we make MbedTLS_jll available?

@eschnett
Copy link
Contributor Author

@mkitti MbedTLS_jll is available via the standard package registry. If you add MbedTLS_jll in your project it'll be added in the usual way. Having it in your Project.toml as dependency suffices. See e.g. https://github.com/JuliaLang/MbedTLS.jl/blob/master/Project.toml .

This PR removes MbedTLS_jll from the Project.toml in Julia's stdlib directory because no stdlib depends on it any more.

Julia's build-from-source mechanism can operate in two ways, either building all stdlibs from source, or (and that's the default) downloading jlls from the package registry. This is how MbedTLS_jll is installed by default.

I don't know whether I'm answering your question or saying something trivial.

@mkitti
Copy link
Contributor

mkitti commented Dec 10, 2024

What's the fix for SciMLTutorials? Could we out together that PR first?

@KristofferC
Copy link
Member

The Pkg bump should at least be rebased on current Pkg master.

@eschnett
Copy link
Contributor Author

The fix for SciMLTutorials is to update all the Manifest.toml files in the repository. I assume that a using Pkg; Pkg.instantiate() would be sufficient. Pkg.update() would also work.

@eschnett
Copy link
Contributor Author

@KristofferC I updated the Pkg.jl PR.

@giordano
Copy link
Contributor

I went through all the new 35 failures reported by PkgEval:

If we're happy to let downstream developers fix the issues in their packages, e.g. for PyCall/PythonCall (the three BinaryBuilder-related ones are fine to ignore, issues should definitely be fixed in the package), then this is good to go from my point of view, as long as we decide what to do with the versions of the external stdlibs that need to be updated (I vote to merge the PRs to the external repos all together and then merge this PR, too, tests here are passing for julia + stdlibs)

@eschnett
Copy link
Contributor Author

I merged in the master branch to resolve conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
building Build system, or building Julia or its dependencies external dependencies Involves LLVM, OpenBLAS, or other linked libraries JLLs needs pkgeval Tests for all registered packages should be run with this change stdlib Julia's standard library
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants