The extension configuration that we maintain at https://github.com/envoyproxy/envoy-openssl/blob/master/envoy_build_config/extensions_build_config.bzl has diverged from https://github.com/envoyproxy/envoy/blob/master/source/extensions/extensions_build_config.bzl. We need to sync our config with main Envoy.

The last few days I looked into the project and tried to build locally. I initally tried to build it on my local system but noticed that there were some problems that are probably much easier in a separate environment.

After trying a custom container and building envoyproxy/envoy-build-ubuntu referenced in the envoy documentation, I still have not succeeded in building the reverse proxy with OpenSSL support. I managed to bypass errors, such as envoyproxy/envoy-build-ubuntu not having exported the path to clang and some "missing" folders but I always end up with bssl not building.

What is the proper build environment/container for this project?

Hi All,

We are facing issue while building bssl-compat library using envoy-openssl branch v1.28 on RHEL9.2 with clang-14. When we are building the standalone build of bssl-compat library we are able to build it without any issues. We are having issue only when built in bazel environment. Please assist me in resolving this issue.

[errorlog.txt](https://github.com/user-attachments/files/15991153/errorlog.txt)

[root@bd13abfc20e8 envoy-openssl]# bazel build -c opt //source/exe:envoy-static --sandbox_debug --verbose_failures --//source/extensions/filters/common/lua:luajit2=1  --linkopt=-fuse-ld=gold --copt="-Wno-deprecated-declarations" --local_cpu_resources=30 --local_ram_resources=61440 --jobs=30
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Analyzed target //source/exe:envoy-static (1001 packages loaded, 67645 targets configured).
INFO: Found 1 target...
ERROR: /root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/external/envoy/bssl-compat/BUILD:10:6: Foreign Cc - CMake: Building bssl-compat failed: (Exit 2): process-wrapper failed: error executing command 
  (cd /root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy && \
  exec env - \
    BAZEL_LINKLIBS=-l%:libstdc++.a \
    BAZEL_LINKOPTS=-lm \
    CC=/usr/bin/clang \
    CXX=/usr/bin/clang++ \
    PATH=/bin:/usr/bin:/usr/local/bin \
    TMPDIR=/tmp \
  /root/.cache/bazel/_bazel_root/install/dfe56ac81989e2f23685b56640195107/process-wrapper '--timeout=0' '--kill_delay=15' '--stats=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/stats.out' /bin/bash -c bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat_foreign_cc/wrapper_build_script.sh)
rules_foreign_cc: Build failed!
rules_foreign_cc: Keeping temp build directory and dependencies directory for debug.
rules_foreign_cc: Please note that the directories inside a sandbox are still cleaned unless you specify --sandbox_debug Bazel command line flag.
rules_foreign_cc: Printing build logs:
_____ BEGIN BUILD LOGS _____

Bazel external C/C++ Rules. Building library bssl-compat

Environment:______________
BUILD_SCRIPT=bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat_foreign_cc/build_script.sh
EXT_BUILD_ROOT=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy
BUILD_LOG=bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat_foreign_cc/CMake.log
PWD=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy
CXX=/usr/bin/clang++
BUILD_WRAPPER_SCRIPT=bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat_foreign_cc/wrapper_build_script.sh
BAZEL_LINKOPTS=-lm
TMPDIR=/tmp
EXT_BUILD_DEPS=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat.ext_build_deps
Clang_ROOT=/usr/lib/llvm
BAZEL_LINKLIBS=-l%:libstdc++.a
BUILD_TMPDIR=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat.build_tmpdir
SHLVL=2
INSTALLDIR=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat
PATH=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy:/bin:/usr/bin:/usr/local/bin
CC=/usr/bin/clang
_=/bin/env
__________________________
+ /root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt-exec-2B5CBBC6/bin/external/rules_foreign_cc/toolchains/copy_cmake_tool.build/cmake_tool.build/bin/cmake -DCMAKE_AR=/usr/bin/ar '-DCMAKE_CXX_LINK_EXECUTABLE=/usr/bin/clang-14 <FLAGS> <CMAKE_CXX_LINK_FLAGS> <LINK_FLAGS> <OBJECTS> -o <TARGET> <LINK_LIBRARIES>' '-DCMAKE_SHARED_LINKER_FLAGS=-shared -Wl,--gdb-index -fuse-ld=/usr/bin/ld.gold -Wl,-no-as-needed -Wl,-z,relro,-z,now -B/usr/bin -lm -Wl,--gc-sections -l:libstdc++.a -fuse-ld=gold' '-DCMAKE_EXE_LINKER_FLAGS=-Wl,--gdb-index -fuse-ld=/usr/bin/ld.gold -Wl,-no-as-needed -Wl,-z,relro,-z,now -B/usr/bin -lm -Wl,--gc-sections -l:libstdc++.a -fuse-ld=gold' -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat -DCMAKE_PREFIX_PATH=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat.ext_build_deps -DCMAKE_RANLIB= -DCMAKE_MAKE_PROGRAM=/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt-exec-2B5CBBC6/bin/external/rules_foreign_cc/toolchains/make/bin/make -G 'Unix Makefiles' /root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/external/envoy/bssl-compat
-- The C compiler identification is Clang 14.0.6
-- The CXX compiler identification is Clang 14.0.6
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/clang-14 - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/clang++-14 - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found OpenSSL: /usr/lib64/libcrypto.so (found suitable version "3.0.7", minimum required is "3.0") found components: Crypto SSL 
-- Found OpenSSL 3.0.7 (/usr/lib64)
-- Performing Test HAVE_FFI_CALL
-- Performing Test HAVE_FFI_CALL - Success
-- Found FFI: /usr/lib64/libffi.so  
-- Performing Test Terminfo_LINKABLE
-- Performing Test Terminfo_LINKABLE - Success
-- Found Terminfo: /usr/lib64/libtinfo.so  
-- Found ZLIB: /usr/lib64/libz.so (found version "1.2.11") 
-- Found LLVM 14.0.6 (/,OFF,ON,ON)
-- Linker detection: GNU Gold
-- Found Python: /bin/python3.9 (found version "3.9.16") found components: Interpreter 
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success
-- Found Threads: TRUE  
-- Configuring done
-- Generating done
-- Build files have been written to: /root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt/bin/external/envoy/bssl-compat/bssl-compat.build_tmpdir
+ /root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/bazel-out/s390x-opt-exec-2B5CBBC6/bin/external/rules_foreign_cc/toolchains/copy_cmake_tool.build/cmake_tool.build/bin/cmake --build . --config Release -j
[  0%] Building CXX object prefixer/CMakeFiles/prefixer.dir/prefixer.cpp.o
[  0%] Building CXX object _deps/googletest-build/googletest/CMakeFiles/gtest.dir/src/gtest-all.cc.o
[  0%] Built target OpenSSL
/root/.cache/bazel/_bazel_root/e708ec56094462adb2c47f36d6f86338/sandbox/processwrapper-sandbox/3633/execroot/envoy/external/envoy/bssl-compat/prefixer/prefixer.cpp:767:5: warning: ignoring return value of function declared with 'warn_unused_result' attribute [-Wunused-result]
    std::system((std::string("sed -i ") + subts.str() + files.str()).c_str());
    ^~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[  0%] Linking CXX static library ../../../lib/libgtest.a
[  0%] Built target gtest
[  0%] Building CXX object _deps/googletest-build/googletest/CMakeFiles/gtest_main.dir/src/gtest_main.cc.o
[  0%] Building CXX object _deps/googletest-build/googlemock/CMakeFiles/gmock.dir/src/gmock-all.cc.o
[  0%] Linking CXX static library ../../../lib/libgtest_main.a
[  0%] Built target gtest_main
[  0%] Linking CXX static library ../../../lib/libgmock.a
[  0%] Built target gmock
[  0%] Building CXX object _deps/googletest-build/googlemock/CMakeFiles/gmock_main.dir/src/gmock_main.cc.o
[  0%] Linking CXX static library ../../../lib/libgmock_main.a
[  0%] Built target gmock_main
1 warning generated.
[  0%] Linking CXX executable prefixer
CMakeFiles/prefixer.dir/prefixer.cpp.o:prefixer.cpp:function std::filesystem::__cxx11::path::~path(): error: undefined reference to 'std::filesystem::__cxx11::path::_List::_Impl_deleter::operator()(std::filesystem::__cxx11::path::_List::_Impl*) const'
CMakeFiles/prefixer.dir/prefixer.cpp.o:prefixer.cpp:function std::filesystem::__cxx11::path::~path(): error: undefined reference to 'operator delete(void*)'
CMakeFiles/prefixer.dir/prefixer.cpp.o:prefixer.cpp:function std::__cxx11::basic_regex<char, std::__cxx11::regex_traits<char> >::basic_regex(char const*, std::regex_constants::syntax_option_type): error: undefined reference to 'std::locale::locale()'

Hi there,

I am trying to build envoy 1.29.1 on s390x arch using envoy-openssl repo but bazel build --config=clang --verbose_failures -s @envoy//:envoy fails due to following error:

...
Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
[1mexternal/com_github_grpc_grpc/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc:60:33: [0m[0;1;31merror: [0m[1muse of undeclared identifier 'X509_CRL_get_issuer'; did you mean 'ossl_X509_CRL_get_issuer'?[0m
  char* buf = X509_NAME_oneline(X509_CRL_get_issuer(crl), nullptr, 0);
[0;1;32m                                ^~~~~~~~~~~~~~~~~~~
[0m[0;32m                                ossl_X509_CRL_get_issuer
[0m[1mbazel-out/s390x-fastbuild/bin/external/bssl-compat/bssl-compat/include/ossl/openssl/x509.h:935:17: [0m[0;1;30mnote: [0m'ossl_X509_CRL_get_issuer' declared here[0m
ossl_X509_NAME *ossl_X509_CRL_get_issuer(const ossl_X509_CRL *crl);
[0;1;32m                ^
[0m[1mexternal/com_github_grpc_grpc/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc:60:15: [0m[0;1;31merror: [0m[1muse of undeclared identifier 'X509_NAME_oneline'; did you mean 'ossl_X509_NAME_oneline'?[0m
  char* buf = X509_NAME_oneline(X509_CRL_get_issuer(crl), nullptr, 0);
[0;1;32m              ^~~~~~~~~~~~~~~~~
[0m[0;32m              ossl_X509_NAME_oneline
[0m[1mbazel-out/s390x-fastbuild/bin/external/bssl-compat/bssl-compat/include/ossl/openssl/x509.h:799:7: [0m[0;1;30mnote: [0m'ossl_X509_NAME_oneline' declared here[0m
char *ossl_X509_NAME_oneline(const ossl_X509_NAME *a, char *buf, int size);
[0;1;32m      ^
[0m2 errors generated.
Target @envoy//source/exe:envoy-static failed to build
...

I suspect problem is that bssl-compat build does not contain these declaration resulting in this error. Even after manually changing grpc_tls_crl_provider.cc to use ossl_X509_CRL_get_issuer etc. build fails down the path with other SSL related errors (missing SSL_ERROR_WANT_CERTIFICATE_VERIFY identifier).

Please let me know if there is something obvious I am missing.

Thanks.

RHEL 9 releases with OpenSSL 3.0.0 and we need a sanity check to look for conflicts

We need to create CI jobs for pre-submit tests to run on every PR.

We probably don't want to run all tests that run in envoy/envoy. We need to define the subset of tests we want to run here and implement them.

Who can help us setting these jobs up?

cc @tedjpoole @phlax

Which verison of OpenSSL will have QUIC support?

https://youtu.be/cdb7M37o9sU

If the utests binary is executed directly, there are a couple of tests which fail:

[ FAILED ] All/BIOPairTest.TestPair/0, where GetParam() = false
[ FAILED ] All/BIOPairTest.TestPair/1, where GetParam() = true

whereas if they are run via ctest, they all pass.

Hi All,

We are facing build failures when building envoy-openssl branch v1.28 on RHEL9.2. Error is as follows
Can someone assist me in resolving this issue.

# bazel build -c opt --config=libc++ envoy --config=clang --define=wasm=disabled --cxxopt=-fpermissive
ERROR: /home/envoy/check_openssl/envoy-openssl/source/exe/BUILD:35:17: Illegal ambiguous match on configurable attribute "deps" in //source/exe:envoy_common_lib:
//bazel:linux_ppc
//bazel:disable_http3
Multiple matches are not allowed unless one is unambiguously more specialized or they resolve to the same value. See https://bazel.build/reference/be/functions#select.
INFO: Repository build_bazel_rules_swift instantiated at:
  /home/envoy/check_openssl/envoy-openssl/WORKSPACE:30:25: in <toplevel>
  /home/envoy/check_openssl/envoy-openssl/bazel/dependency_imports.bzl:32:29: in envoy_dependency_imports
  /root/.cache/bazel/_bazel_root/0cab9e149d5530907041b1f9089d77ad/external/build_bazel_rules_apple/apple/repositories.bzl:124:15: in apple_rules_dependencies
  /root/.cache/bazel/_bazel_root/0cab9e149d5530907041b1f9089d77ad/external/build_bazel_rules_apple/apple/repositories.bzl:86:14: in _maybe
Repository rule http_archive defined at:
  /root/.cache/bazel/_bazel_root/0cab9e149d5530907041b1f9089d77ad/external/bazel_tools/tools/build_defs/repo/http.bzl:372:31: in <toplevel>
ERROR: Analysis of target '//:envoy' failed; build aborted:
INFO: Elapsed time: 5.565s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (238 packages loaded, 819 targets configured)
    currently loading: @com_github_grpc_grpc//
    Fetching repository @com_google_absl; starting
    Fetching ...0cab9e149d5530907041b1f9089d77ad/external/com_google_absl; Extracting c8b33b0191a2db8364cacf94b267ea8a3f20ad83.tar.gz
    Fetching repository @com_github_gperftools_gperftools; starting
    Fetching ...el_root/0cab9e149d5530907041b1f9089d77ad/external/com_github_gperftools_gperftools; Extracting gperftools-2.10.tar.gz
    Fetching repository @com_github_gabime_spdlog; starting
    Fetching ...cache/bazel/_bazel_root/0cab9e149d5530907041b1f9089d77ad/external/com_github_gabime_spdlog; Extracting v1.12.0.tar.gz
    Fetching repository @com_googlesource_code_re2; starting
    Fetching ...ot/0cab9e149d5530907041b1f9089d77ad/external/com_googlesource_code_re2; Extracting 2023-09-01.tar.gz ... (11 fetches)

cc @NishikantThorat

use run-build-container.sh, bazel build @bssl-compat//:bssl-compat has finised, but when I did "bazel build @envoy//:envoy" , has some error about code , below is failed log:
ERROR: /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/source/extensions/transport_sockets/tls/BUILD:142:17: Compiling source/extensions/transport_sockets/tls/context_impl.cc failed: (Exit 1): process-wrapper failed: error executing command
(cd /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/4064/execroot/envoy_openssl &&
exec env -
BAZEL_COMPILER=clang
BAZEL_LINKLIBS=-l%:libstdc++.a
BAZEL_LINKOPTS=-lm
CC=clang
CXX=clang++
LLVM_CONFIG=/opt/llvm/bin/llvm-config
PATH=/opt/llvm/bin:/opt/llvm/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/proc/self/cwd
TMPDIR=/tmp
/build/.cache/bazel/_bazel_root/install/e63ada1a9406bff70c6efc9d97c3aeba/process-wrapper '--timeout=0' '--kill_delay=15' '--stats=/build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/4064/stats.out' /opt/llvm/bin/clang-14 -U_FORTIFY_SOURCE -fstack-protector -Wall -Wthread-safety -Wself-assign -Wunused-but-set-parameter -Wno-free-nonheap-object -fcolor-diagnostics -fno-omit-frame-pointer '-std=c++0x' -MD -MF bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/context_lib/context_impl.pic.d '-frandom-seed=bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/context_lib/context_impl.pic.o' -fPIC -DFMT_HEADER_ONLY -DSPDLOG_FMT_EXTERNAL -DENVOY_ADMIN_FUNCTIONALITY -DENVOY_ENABLE_HTTP_DATAGRAMS -DENVOY_MOBILE_ENABLE_LISTENER -DENVOY_MOBILE_STATS_REPORTING -DENVOY_MOBILE_REQUEST_COMPRESSION -DENVOY_GOOGLE_GRPC -DNGHTTP2_STATICLIB '-DBAZEL_CURRENT_REPOSITORY="envoy"' -iquote external/envoy -iquote bazel-out/k8-fastbuild/bin/external/envoy -iquote external/com_google_absl -iquote bazel-out/k8-fastbuild/bin/external/com_google_absl -iquote external/com_github_fmtlib_fmt -iquote bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt -iquote external/envoy_api -iquote bazel-out/k8-fastbuild/bin/external/envoy_api -iquote external/com_google_googleapis -iquote bazel-out/k8-fastbuild/bin/external/com_google_googleapis -iquote external/com_google_protobuf -iquote bazel-out/k8-fastbuild/bin/external/com_google_protobuf -iquote external/com_envoyproxy_protoc_gen_validate -iquote bazel-out/k8-fastbuild/bin/external/com_envoyproxy_protoc_gen_validate -iquote external/com_googlesource_code_re2 -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_code_re2 -iquote external/com_github_cncf_udpa -iquote bazel-out/k8-fastbuild/bin/external/com_github_cncf_udpa -iquote external/opencensus_proto -iquote bazel-out/k8-fastbuild/bin/external/opencensus_proto -iquote external/com_github_gabime_spdlog -iquote bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog -iquote external/com_github_cyan4973_xxhash -iquote bazel-out/k8-fastbuild/bin/external/com_github_cyan4973_xxhash -iquote external/com_github_jbeder_yaml_cpp -iquote bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp -iquote external/com_github_google_quiche -iquote bazel-out/k8-fastbuild/bin/external/com_github_google_quiche -iquote external/com_googlesource_googleurl -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_googleurl -iquote external/com_github_circonus_labs_libcircllhist -iquote bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/any_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/descriptor_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/duration_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/empty_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/struct_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/timestamp_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/wrappers_proto -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/logger_impl_lib_standard -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/thread_impl_lib_posix -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/api/_virtual_includes/os_sys_calls_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_export_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_logging_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_command_line_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_flag_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_reference_counted_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_testvalue_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_time_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_prefetch_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quic_base_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_mem_slice_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_platform_iovec_impl_lib -isystem external/com_github_fmtlib_fmt/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt/include -isystem external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/zlib/include -isystem external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include -isystem external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/event/include -isystem external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/nghttp2/include -isystem external/com_github_circonus_labs_libcircllhist/src -isystem bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist/src '-DABSL_MIN_LOG_LEVEL=4' -fPIC -Wno-deprecated-declarations '-std=c++17' -Wall -Wextra -Werror -Wnon-virtual-dtor -Woverloaded-virtual -Wold-style-cast -Wformat -Wformat-security -Wvla -Wno-deprecated-declarations -Wreturn-type -fno-limit-debug-info -Wgnu-conditional-omitted-operand -Wc++2a-extensions -Wrange-loop-analysis -DTCMALLOC -DENVOY_HANDLE_SIGNALS -DENVOY_OBJECT_TRACE_ON_DUMP -DENVOY_HOT_RESTART -DENVOY_ADMIN_HTML -DENVOY_STATIC_EXTENSION_REGISTRATION -DENVOY_GOOGLE_GRPC -no-canonical-prefixes -Wno-builtin-macro-redefined '-D__DATE="redacted"' '-D__TIMESTAMP="redacted"' '-D__TIME="redacted"' -c external/envoy/source/extensions/transport_sockets/tls/context_impl.cc -o bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/objs/context_lib/context_impl.pic.o)
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:185:11: error: use of undeclared identifier 'SSL_CTX_set_custom_verify'; did you mean 'SSL_CTX_set_verify'?
SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
^~~~~~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_verify
bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include/openssl/ssl.h:2539:21: note: 'SSL_CTX_set_verify' declared here
OPENSSL_EXPORT void SSL_CTX_set_verify(
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:185:55: error: cannot initialize a parameter of type 'int (*)(int, X509_STORE_CTX )' (aka 'int ()(int, ossl_x509_store_ctx_st *)') with an lvalue of type 'enum ssl_verify_result_t (SSL *, uint8_t *)' (aka 'ssl_verify_result_t (ossl_ssl_st *, unsigned char *)'): type mismatch at 1st parameter ('int' vs 'SSL *' (aka 'ossl_ssl_st *'))
SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
^~~~~~~~~~~~~~~~~~~~
bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include/openssl/ssl.h:2540:35: note: passing argument to parameter 'callback' here
SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:186:11: error: use of undeclared identifier 'SSL_CTX_set_reverify_on_resume'; did you mean 'SSL_CTX_set_verify_depth'?
SSL_CTX_set_reverify_on_resume(ctx, /reverify_on_resume_enabled)=/1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_verify_depth
bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include/openssl/ssl.h:2616:21: note: 'SSL_CTX_set_verify_depth' declared here
OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:290:9: error: use of undeclared identifier 'SSL_CTX_set_private_key_method'
SSL_CTX_set_private_key_method(ctx.ssl_ctx.get(), private_key_method.get());
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:473:14: error: use of undeclared identifier 'ssl_verify_retry'
return ssl_verify_retry;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:480:18: error: use of undeclared identifier 'ssl_verify_ok'
? ssl_verify_ok
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:481:18: error: use of undeclared identifier 'ssl_verify_invalid'
: ssl_verify_invalid;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:493:12: error: use of undeclared identifier 'ssl_verify_ok'
return ssl_verify_ok;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:495:12: error: use of undeclared identifier 'ssl_verify_retry'
return ssl_verify_retry;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:500:12: error: use of undeclared identifier 'ssl_verify_invalid'
return ssl_verify_invalid;
^
10 errors generated.
Target @envoy//source/exe:envoy-static failed to build
INFO: Elapsed time: 2596.516s, Critical Path: 78.47s
INFO: 7968 processes: 3890 internal, 1 local, 4076 processwrapper-sandbox, 1 worker.
FAILED: Build did NOT complete successfully
root@localhost:/source# bazel clean --expunge
INFO: Starting clean (this may take a while). Consider using --async if the clean takes more than several minutes.
INFO: Multiplexer process for Javac has closed its output stream
root@localhost:/source# bazel build @bssl-compat//:bssl-compat
Starting local Bazel server and connecting to it...
INFO: Analyzed target @bssl-compat//:bssl-compat (116 packages loaded, 6989 targets configured).
INFO: Found 1 target...
Target @bssl-compat//:bssl-compat up-to-date:
bazel-bin/external/bssl-compat/bssl-compat/include
bazel-bin/external/bssl-compat/bssl-compat/lib/libbssl-compat.a
bazel-bin/external/bssl-compat/copy_bssl-compat/bssl-compat
INFO: Elapsed time: 642.919s, Critical Path: 624.38s
INFO: 4 processes: 3 internal, 1 processwrapper-sandbox.
INFO: Build completed successfully, 4 total actions
root@localhost:/source# bazel build @envoy//:envoy
INFO: Analyzed target @envoy//:envoy (797 packages loaded, 37215 targets configured).
INFO: Found 1 target...
INFO: From Compiling src/google/protobuf/compiler/cpp/helpers.cc [for tool]:
external/com_google_protobuf/src/google/protobuf/compiler/cpp/helpers.cc:197:25: warning: unused function 'VerifyInt32TypeToVerifyCustom' [-Wunused-function]
inline VerifySimpleType VerifyInt32TypeToVerifyCustom(VerifyInt32Type t) {
^
1 warning generated.
INFO: From Executing genrule @io_opentracing_cpp//:generate_version_h:
-- The C compiler identification is Clang 14.0.0
-- The CXX compiler identification is Clang 14.0.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /opt/llvm/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /opt/llvm/bin/clang++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- clang-tidy found: /opt/llvm/bin/clang-tidy
-- Configuring done (0.7s)
-- Generating done (0.0s)
-- Build files have been written to: /tmp/tmp.sn2kWd37J2
-- Cache values
BUILD_DYNAMIC_LOADING:BOOL=ON
BUILD_MOCKTRACER:BOOL=OFF
BUILD_SHARED_LIBS:BOOL=ON
BUILD_STATIC_LIBS:BOOL=ON
BUILD_TESTING:BOOL=OFF
CLANG_TIDY_EXE:FILEPATH=/opt/llvm/bin/clang-tidy
CMAKE_BUILD_TYPE:STRING=
CMAKE_INSTALL_PREFIX:PATH=/usr/local
ENABLE_LINTING:BOOL=ON
ERROR: /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/source/extensions/transport_sockets/tls/BUILD:43:17: Compiling source/extensions/transport_sockets/tls/ssl_handshaker.cc failed: (Exit 1): process-wrapper failed: error executing command
(cd /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/3314/execroot/envoy_openssl &&
exec env -
BAZEL_COMPILER=clang
BAZEL_LINKLIBS=-l%:libstdc++.a
BAZEL_LINKOPTS=-lm
CC=clang
CXX=clang++
LLVM_CONFIG=/opt/llvm/bin/llvm-config
PATH=/opt/llvm/bin:/opt/llvm/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/proc/self/cwd
TMPDIR=/tmp
/build/.cache/bazel/_bazel_root/install/e63ada1a9406bff70c6efc9d97c3aeba/process-wrapper '--timeout=0' '--kill_delay=15' '--stats=/build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/3314/stats.out' /opt/llvm/bin/clang-14 -U_FORTIFY_SOURCE -fstack-protector -Wall -Wthread-safety -Wself-assign -Wunused-but-set-parameter -Wno-free-nonheap-object -fcolor-diagnostics -fno-omit-frame-pointer '-std=c++0x' -MD -MF bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/ssl_handshaker_lib/ssl_handshaker.pic.d '-frandom-seed=bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/ssl_handshaker_lib/ssl_handshaker.pic.o' -fPIC -DFMT_HEADER_ONLY -DSPDLOG_FMT_EXTERNAL -DENVOY_ADMIN_FUNCTIONALITY -DENVOY_ENABLE_HTTP_DATAGRAMS -DENVOY_MOBILE_ENABLE_LISTENER -DENVOY_MOBILE_STATS_REPORTING -DENVOY_MOBILE_REQUEST_COMPRESSION -DENVOY_GOOGLE_GRPC -DNGHTTP2_STATICLIB '-DBAZEL_CURRENT_REPOSITORY="envoy"' -iquote external/envoy -iquote bazel-out/k8-fastbuild/bin/external/envoy -iquote external/com_google_absl -iquote bazel-out/k8-fastbuild/bin/external/com_google_absl -iquote external/com_github_fmtlib_fmt -iquote bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt -iquote external/envoy_api -iquote bazel-out/k8-fastbuild/bin/external/envoy_api -iquote external/com_google_googleapis -iquote bazel-out/k8-fastbuild/bin/external/com_google_googleapis -iquote external/com_google_protobuf -iquote bazel-out/k8-fastbuild/bin/external/com_google_protobuf -iquote external/com_envoyproxy_protoc_gen_validate -iquote bazel-out/k8-fastbuild/bin/external/com_envoyproxy_protoc_gen_validate -iquote external/com_googlesource_code_re2 -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_code_re2 -iquote external/com_github_cncf_udpa -iquote bazel-out/k8-fastbuild/bin/external/com_github_cncf_udpa -iquote external/opencensus_proto -iquote bazel-out/k8-fastbuild/bin/external/opencensus_proto -iquote external/com_github_gabime_spdlog -iquote bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog -iquote external/com_github_cyan4973_xxhash -iquote bazel-out/k8-fastbuild/bin/external/com_github_cyan4973_xxhash -iquote external/com_github_jbeder_yaml_cpp -iquote bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp -iquote external/com_github_google_quiche -iquote bazel-out/k8-fastbuild/bin/external/com_github_google_quiche -iquote external/com_googlesource_googleurl -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_googleurl -iquote external/com_github_circonus_labs_libcircllhist -iquote bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/any_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/descriptor_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/duration_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/empty_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/struct_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/timestamp_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/wrappers_proto -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/logger_impl_lib_standard -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/thread_impl_lib_posix -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/api/_virtual_includes/os_sys_calls_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_export_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_logging_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_command_line_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_flag_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_reference_counted_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_testvalue_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_time_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_prefetch_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quic_base_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_mem_slice_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_platform_iovec_impl_lib -isystem external/com_github_fmtlib_fmt/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt/include -isystem external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/zlib/include -isystem external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include -isystem external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/event/include -isystem external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/nghttp2/include -isystem external/com_github_circonus_labs_libcircllhist/src -isystem bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist/src '-DABSL_MIN_LOG_LEVEL=4' -fPIC -Wno-deprecated-declarations '-std=c++17' -Wall -Wextra -Werror -Wnon-virtual-dtor -Woverloaded-virtual -Wold-style-cast -Wformat -Wformat-security -Wvla -Wno-deprecated-declarations -Wreturn-type -fno-limit-debug-info -Wgnu-conditional-omitted-operand -Wc++2a-extensions -Wrange-loop-analysis -DTCMALLOC -DENVOY_HANDLE_SIGNALS -DENVOY_OBJECT_TRACE_ON_DUMP -DENVOY_HOT_RESTART -DENVOY_ADMIN_HTML -DENVOY_STATIC_EXTENSION_REGISTRATION -DENVOY_GOOGLE_GRPC -no-canonical-prefixes -Wno-builtin-macro-redefined '-D__DATE="redacted"' '-D__TIMESTAMP="redacted"' '-D__TIME="redacted"' -c external/envoy/source/extensions/transport_sockets/tls/ssl_handshaker.cc -o bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/ssl_handshaker_lib/ssl_handshaker.pic.o)
external/envoy/source/extensions/transport_sockets/tls/ssl_handshaker.cc:98:10: error: use of undeclared identifier 'SSL_ERROR_WANT_PRIVATE_KEY_OPERATION'
case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
^
external/envoy/source/extensions/transport_sockets/tls/ssl_handshaker.cc:99:10: error: use of undeclared identifier 'SSL_ERROR_WANT_CERTIFICATE_VERIFY'
case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
^
2 errors generated.
Target @envoy//source/exe:envoy-static failed to build
INFO: Elapsed time: 1532.124s, Critical Path: 47.83s
INFO: 6132 processes: 2819 internal, 1 local, 3311 processwrapper-sandbox, 1 worker.
FAILED: Build did NOT complete successfully

I'd like to use envoy-openssl. But I couldn't find envoy-openssl image in https://hub.docker.com/u/envoyproxy
Do you have any plan to provide envoy-openssl as a docker container image?

envoy commit: "tls_inspector: enable TLSv1.3. (#118)" needs backporting into this repo.

As title ,
Does anyone can help give some comments for this OpenSSL 3.0 support in envoy-openssl ? And also did this project support the FIPS140-3 already ?

• Create Submodule for envoy
• Top level folders for collections
• update readme
• add initial bssl-compat code

The prefixer is failing to identify some functions as being prefixable, so it's not generating the lookup, function pointer and wrapper function for them.

e.g. ASN1_IA5STRING_new()

• note out to everyone w a deadline to make comments
• incorporate 1st part of design in 1st milestone of project document
• collect & incorporate comments
• memorialize in DESIGN.md

envoy-openssl build successfully with envoy:cf2df8cbe, commit time is Tue Jul 28 02:32:57 2020.

But build failed with the latest Envoy, when will support the latest Envoy?

Is there a way I can build a released version of Envoy (v1.13.1) with OpenSSL? Current build yields the below version and I can't run this in production. I'll greatly appreciate any help on this.

envoy  version: 1a29e0d7d9b86124509a0f49c2d6df93ece25450/1.14.0-dev/Modified/DEBUG/OpenSSL

Thanks
Kunal

reworked bssl-wrapper without bazel using CMake to serve as the starting point for the compatibility library work put on github

The bazel.release CI target was disabled due to disk space issues. We should enable it once again.

/cc @mythi

Running envoy --version currently reports a version string with "BoringSSL" on the end, something like:

8eeab1ee77f2c4cb31434c04d683773a6beea01d/1.28.5-dev/Modified/RELEASE/BoringSSL

but it should have "OpenSSL" on the end instead.

envoy-openssl has been dormant for 2 years; this is to revive the project disciplines

• create & configure github project
• label legacy issues & park them for review
• add issues & create kb cards from design doc
• invite team members to assign themselves
• associate first tranche of tasks to milestone 1

Hi All,

We are facing build issue on s390x and please find the below error and we faced this while building "bssl-compat".
Let me know if we have any s390x specific build steps.

[  3%] Building CXX object CMakeFiles/utests-boring.dir/source/test/test_x509.cc.o
In file included from /root/envoy-openssl/bssl-compat/source/test/test_x509.cc:7:
/root/envoy-openssl/bssl-compat/build/source/crypto/test/test_util.h:29:10: fatal error: '../internal.h' file not found
#include "../internal.h"
         ^~~~~~~~~~~~~~~
1 error generated.
make[2]: *** [CMakeFiles/utests-boring.dir/build.make:384: CMakeFiles/utests-boring.dir/source/test/test_x509.cc.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:168: CMakeFiles/utests-boring.dir/all] Error 2
make: *** [Makefile:146: all] Error 2

As we are enabling support for P&Z architectures, could we include P&Z binaries/images alongside the x86 binaries in the releases? This will ensure that users on P&Z platforms can easily access and utilize the binaries.

Request:
Please add P&Z binaries/images to the releases page at https://github.com/envoyproxy/envoy-openssl/releases alongside x86 binaries.

Benefit:
Including P&Z binaries/images will improve accessibility for users on these platforms and ensure better support for a wider range of architectures.

Dependency : knative/infra#344

cc : @rishikakedia @valen-mascarenhas14 @ghatwala @dilipgb @NishikantThorat

Here's a high-level roadmap for the project.

• Make boringssl-based TLS extensions fully unpluggable
  • envoyproxy/envoy#7377
• Move TLS extensions into envoy-openssl
  • https://github.com/Maistra/envoy-openssl/tree/maistra-0.12
  • https://github.com/rojkov/envoy-openssl/tree/openssl-as-3d-party-extension
• Convert the crypto library, etc. to an extension and implement one based on OpenSSL
  • envoyproxy/envoy#7344
• Implement OpenSSL patches for jwt-verify, quiche, etc.
  • https://github.com/bdecoste/jwt_verify_lib
  • https://github.com/rojkov/envoy-openssl/blob/openssl-as-3d-party-extension/jwt_verify-make-compatible-with-openssl.patch (preferred pattern)
• Implement a build and test pipeline which is triggered on commits into the main envoy project
  • Pull latest Envoy before building
• Implement tests in the main envoy project to prevent spillage of SSL related code into classes which don't have proper SSL abstractions/extension mechanisms

/cc @envoyproxy/openssl-dev

Feel free to add/edit.

make[2]: Entering directory '/build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build.build_tmpdir/tools/makeconv'
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/ucnvstat.c
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/makeconv.cpp
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/genmbcs.cpp
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/gencnvex.c
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/gencnvex.c
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/genmbcs.cpp
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/makeconv.cpp
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/ucnvstat.c
/usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer -std=c++0x -fno-canonical-system-headers -Wno-builtin-macro-redefined -D__DATE__=redacted -D__TIMESTAMP__=redacted -D__TIME__=redacted -DABSL_MIN_LOG_LEVEL=4 -fPIC -Wno-deprecated-declarations -std=c++17 -fPIC -DU_CHARSET_IS_UTF8=1 -DU_USING_ICU_NAMESPACE=0 -DUCONFIG_ONLY_HTML_CONVERSION=1 -DUCONFIG_NO_LEGACY_CONVERSION=1 -DUCONFIG_NO_BREAK_ITERATION=1 -DUCONFIG_NO_COLLATION=1 -DUCONFIG_NO_FORMATTING=1 -DUCONFIG_NO_TRANSLITERATION=1 -DUCONFIG_NO_REGULAR_EXPRESSIONS=1 -W -Wall -pedantic -Wpointer-arith -Wwrite-strings -Wno-long-long   -fuse-ld=gold -Wl,-no-as-needed -Wl,-z,relro,-z,now -B/usr/bin -pass-exit-codes -lm -l:libstdc++.a -Wl,--gc-sections   -o ../../bin/makeconv gencnvex.o genmbcs.o makeconv.o ucnvstat.o -L../../lib -licutu -L../../lib -licui18n -L../../lib -licuuc -L../../stubdata -licudata -lpthread -lm
makeconv.o:makeconv.cpp:DW.ref.__gxx_personality_v0: error: undefined reference to '__gxx_personality_v0'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::mutex::lock(): error: undefined reference to 'std::__throw_system_error(int)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function umtx_cleanup: error: undefined reference to 'std::condition_variable::~condition_variable()'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function umtx_init::{lambda()#2}::operator()() const: error: undefined reference to 'std::condition_variable::condition_variable()'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function icu_72::umtx_initImplPreInit(icu_72::UInitOnce&): error: undefined reference to 'std::condition_variable::wait(std::unique_lock<std::mutex>&)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function icu_72::umtx_initImplPostInit(icu_72::UInitOnce&): error: undefined reference to 'std::condition_variable::notify_all()'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::call_once<void (&)()>(std::once_flag&, void (&)())::{lambda()#2}::operator()() const: error: undefined reference to 'std::__once_callable'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to 'std::__once_callable'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to 'std::__once_call'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to '__once_proxy'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to 'std::__throw_system_error(int)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::unique_lock<std::mutex>::lock(): error: undefined reference to 'std::__throw_system_error(int)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::unique_lock<std::mutex>::lock(): error: undefined reference to 'std::__throw_system_error(int)'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:81: ../../bin/makeconv] Error 1
make[2]: Leaving directory '/build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build.build_tmpdir/tools/makeconv'
make[1]: *** [Makefile:47: all-recursive] Error 2
make[1]: Leaving directory '/build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build.build_tmpdir/tools'
make: *** [Makefile:153: all-recursive] Error 2
_____ END BUILD LOGS _____
rules_foreign_cc: Build wrapper script location: bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build_foreign_cc/wrapper_build_script.sh
rules_foreign_cc: Build script location: bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build_foreign_cc/build_script.sh
rules_foreign_cc: Build log location: bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build_foreign_cc/Configure.log

INFO: Elapsed time: 137.005s, Critical Path: 120.50s
INFO: 4 processes: 2 internal, 2 processwrapper-sandbox.
FAILED: Build did NOT complete successfully
Traceback (most recent call last):
  File "./tools/gen_compilation_database.py", line 139, in <module>
    fix_compilation_database(args, generate_compilation_database(args))
  File "./tools/gen_compilation_database.py", line 25, in generate_compilation_database
    subprocess.check_call([args.bazel, *bazel_startup_options, "build"] + bazel_options + [
  File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['bazel', 'build', '--config=compdb', '--remote_download_outputs=all', '--aspects=@bazel_compdb//:aspects.bzl%compilation_database_aspect', '--output_groups=compdb_files,header_files', '//source/...', '//test/...', '//contrib/...']' returned non-zero exitstatus 1.

Envoy Commit ID: ca5d45d
OS: linux(entered build container by ./ci/run_envoy_docker.sh /bin/bash)
Command: ./tools/gen_compilation_database.py

currently we plan to use the envoyproxy/envoy-openssl repository.

• Classes we will own for OpenSSL (tls/extensions folders)
• Library Code (wrappers, abstractions)
• Build Related files (patches/build scripts to automate releases)
• Documentation ( build instructions in README.md, release information)
• maintain analysis.md
• CONTRIBUTING.md

As you probably have seen by the other opened issue [1], I am interested in getting the Envoy up and running with the OpenSSL extension. With OpenSSL 1.1.1 being EOL now, Maistra is not a feasible approach for us anymore, so we are looking into early-adopting envoy with the OpenSSL extension.

Me and my colleague monitored the changes you introduced over the last couple months, getting closer to a fully working server. We have seen (and tested) that there are currently a few things open, such as the missing mapping of some BoringSSL errors to OpenSSL ones. We are wondering, if we can help expedite the stabilisation process, to get a bit faster to a fully working release; may it be code contributions or testing, we would like to help a bit.

[1] #66

New use cases that do not have tests

Testing

• Can we leverage upstream tests.
• Increase test granularity.
• Comprehensive test coverage.

Building

• Necessary git hub actions
• Automated ASAN, integrity checks.

• 24-hour embargo, self-merge OK

Hi everyone, firstly apologies if this is the wrong place to open a discussion on this. I referenced previous work done by the /envoy-openssl integration project in attempting to port BoringSSL into Envoy, and I think we ran into a lot of similar issues, at least according to the roadmap published.

What I'm Trying To Do

I'm currently working on an open source implementation of a post-quantum enabled service mesh. This effort is in 3 parts:

• Nginx-oqs (finished in march of this year)
• Envoy (in progress)
• Istio (contingent on completion of envoy)

Nginx was fairly straightforward to port the OpenSSL-OQS fork, but Envoy is giving me some trouble. Envoy is incompatible with OpenSSL (there is a team working on fixing this currently), so I had to use the BoringSSL-OQS fork

How I'm Doing it

To update BoringSSL for envoy, specifically the "main-with-bazel" branch must be used:

The last updated Boringssl-OQS main-with-bazel was from 2019, so I forked it and added the siphash.h file needed by Envoy.

A few other modifications I needed to make in the Envoy fork I'm modifying:

• Disable jwt-auth
• Disable QUIC to side-step Quiche compatibility issues

Envoy successfully builds with my modifications

Here are the commands I used to generate the self-signed CA cert and the server cert as per the instructions on the OpenSSL-OQS page. I have tried them with all combinations of standard/OQS/hybrid for both the CA cert and the server cert

/usr/local/openssl/apps/openssl req -x509 -new -newkey rsa:2048 -keyout root_CA.key -out root_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config /usr/local/openssl/apps/openssl.cnf

/usr/local/openssl/apps/openssl req -new -newkey rsa3072_dilithium2 -keyout serverkey.key -out servercsr.csr -nodes -subj "/CN=oqstest server" -config /usr/local/openssl/apps/openssl.cnf

/usr/local/openssl/apps/openssl x509 -req -in servercsr.csr -out servercert.crt -CA root_CA.crt -CAkey root_CA.key -CAcreateserial -days 365  

How It's Working: Standard RSA

I can confirm my build works by passing RSA certs and keys generated using the OQS-OpenSSL fork. The HTTPS server successfully performs the TLS handshake, and I am able to reach HTTP upstream.

How It's Not Working 1: "Cannot Load Certificate Chain"

If I pass the (hybrid or OQS) server cert to Envoy, I get this error:

I have tracked it down to this portion of the Envoy source code:

Here is a diagram of the functions and their locations in the Envoy and BoringSSL source code:

How It's Not Working 2: "Unsupported Algorithm"

If I pass the (RSA) root CA cert to Envoy with the (hybrid or OQS) key, I am faced with this error instead

Questions

If anyone is curious and wants to reproduce this, the instructions are on this repo I have set up.

At this point, I feel like there may be something catastrophically important I'm missing about either BoringSSL/OpenSSL, Envoy, or just software development in general

I would love any and all feedback/advice/thoughts/criticism about why this may be happening, and what I can do to fix this

The current Azure Pipeline configuration only runs the verify step. The build and test steps have been disabled as they reference dependencies incorrectly.

The right solution is to use the Envoy Docker CI image to run these steps. This again needs some work in getting the build to refer to the correct OpenSSL files.

envoy-openssl hasn't had a check-in in over 2 years; there is probably much to learn from what's gone before, and yet we would like to start fresh.

• archive legacy code in a branch so we can continue to refer to it.
• rebase envoyproxy/envoy-openssl/source/extensions to v 1.22
• establish contributing guidelines, document in CONTRIBUTING.md

The build fails for me early on due to:

WARNING: Download from https://github.com/unicode-org/icu/archive/release-64-2.tar.gz failed: class com.google.devtools.build.lib.bazel.repository.downloader.UnrecoverableHttpException Checksum was 65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a but wanted 524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05 ERROR: An error occurred during the fetch of repository 'org_unicode_icuuc': java.io.IOException: Error downloading [https://github.com/unicode-org/icu/archive/release-64-2.tar.gz] to /home/carmiac/.cache/bazel/_bazel_carmiac/2f6c9d8c4610bca649831f6411514c8c/external/org_unicode_icuuc/release-64-2.tar.gz: Checksum was 65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a but wanted 524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05 ERROR: /home/carmiac/.cache/bazel/_bazel_carmiac/2f6c9d8c4610bca649831f6411514c8c/external/com_googlesource_googleurl/url/BUILD:6:11: @com_googlesource_googleurl//url:url depends on @org_unicode_icuuc//:common in repository @org_unicode_icuuc which failed to fetch. no such package '@org_unicode_icuuc//': java.io.IOException: Error downloading [https://github.com/unicode-org/icu/archive/release-64-2.tar.gz] to /home/carmiac/.cache/bazel/_bazel_carmiac/2f6c9d8c4610bca649831f6411514c8c/external/org_unicode_icuuc/release-64-2.tar.gz: Checksum was 65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a but wanted 524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05 ERROR: Analysis of target '//:envoy' failed; build aborted: Analysis failed

How do we select between this envoy-openssl project and maistra/envoy ?

Seems this https://github.com/maistra/envoy was maintained by Redhat but no way to submit issues or questions.

And also seems no new release in this year 2023 .

so what's the difference between these two projects ? And any pros and cons can be shared?

The bssl-compat/patch/ directory contains manually maintained patch files that get applied to BoringSSL headers and sources that we copy into the build.

This issue should add a target o the cmake build system that will update those patch files.

What is the current status of this repo? I see recent commits, but is this library ready to be used? If not, what are the gaps? How can I monitor progress (team meeting link is private)

hello I'm looking forward to use openssl library in envoy.
However, the build had done but test was not passed by using beneath code in Ubuntu 22.04.

./openssl/run_envoy_docker.sh './ci/do_ci.sh debug //test/extensions/transport_sockets/tls/...'

Build Result:

INFO: Analyzed 29 targets (599 packages loaded, 39460 targets configured).
INFO: Found 13 targets and 16 test targets...
FAIL: //test/extensions/transport_sockets/tls/cert_validator/spiffe:spiffe_validator_integration_test (see /build/bazel_root/base/execroot/envoy/bazel-out/k8-dbg/testlogs/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test/test.log)
FAIL: //test/extensions/transport_sockets/tls/integration:ssl_integration_test (see /build/bazel_root/base/execroot/envoy/bazel-out/k8-dbg/testlogs/test/extensions/transport_sockets/tls/integration/ssl_integration_test/test.log)
FAIL: //test/extensions/transport_sockets/tls/cert_validator:cert_validator_integration_test (see /build/bazel_root/base/execroot/envoy/bazel-out/k8-dbg/testlogs/test/extensions/transport_sockets/tls/cert_validator/cert_validator_integration_test/test.log)
INFO: Elapsed time: 2590.326s, Critical Path: 335.53s
INFO: 5743 processes: 2432 internal, 3311 processwrapper-sandbox.
INFO: Build completed, 3 tests FAILED, 5743 total actions
//test/extensions/transport_sockets/tls/cert_validator:cert_validator_integration_test FAILED in 0.7s
  /build/bazel_root/base/execroot/envoy/bazel-out/k8-dbg/testlogs/test/extensions/transport_sockets/tls/cert_validator/cert_validator_integration_test/test.log
//test/extensions/transport_sockets/tls/cert_validator/spiffe:spiffe_validator_integration_test FAILED in 1.3s
  /build/bazel_root/base/execroot/envoy/bazel-out/k8-dbg/testlogs/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_integration_test/test.log
//test/extensions/transport_sockets/tls/integration:ssl_integration_test FAILED in 0.7s
  /build/bazel_root/base/execroot/envoy/bazel-out/k8-dbg/testlogs/test/extensions/transport_sockets/tls/integration/ssl_integration_test/test.log