feat(20.04): add 'data' slice to openssl SDF #262
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zhijie-yang
changed the title
|
Diff of dependencies: |
zhijie-yang
force-pushed
the
ROCKS-994-openssl_data-slice-20.04
branch
from
7cc59cf to
7b3e319
Compare
2 tasks
2 tasks
weiiwang01
approved these changes
Jul 5, 2024
cjdcordeiro
approved these changes
Jul 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
Add
openssl_dataslice for users does not require the "openssl" binaries, but only needs thepembundled certificate at the defaultcafile.The problem: Programmes in rocks with base focal and jammy cannot get local issuer certificates during an SSL certificate verification.
The cause: The lack of both the symlinks of certificates and rehashed symlinks to the certificates in
/etc/ssl/certsthat point to the certificates introduced by package "ca-certificates" and the symlink pointing to the ca-certificates bundle crt file.To cope with this problem, we are diverging a bit from the behaviour of the package "openssl" in focal and jammy, providing the symlink
/usr/lib/ssl/cert.pem -> /etc/ssl/certs/ca-certificates.crtin the sliceopenssl_data. The reasons behind that are:The SSL library by default reads the local certificates firstly at the bundled certificates
cafile, which defaults at/usr/lib/ssl/certs.pem, and then the single certificates incapathwhich defaults to/usr/lib/ssl/certs.In focal and jammy, the "openssl" package does not provide a
capathsymlink/usr/lib/ssl/certs.pem -> /etc/ssl/certs/ca-certificates.crt. As a result, the certificates have to be read from thecapath, which by default is/usr/lib/ssl/certs -> /etc/ssl/certs, wheretthe certificates from package "ca-certificates" are symbolically linked to/etc/ssl/certsby the scriptupdate-ca-certificatesand rehashed withopenssl rehashorc_rehash(this is automatically triggered with the maintainer scripts of the package "ca-certificates"). However, with the current specification of chisel slice definition files and starlark (the mutation script language in chisel SDF), it's not possible to fully mimic the behaviour of the maintainer scrip and theupdate-ca-certificatesscript in the package "ca-certificates" to calculate the hashes for the certificates and create symlinks with file name formatHHHHHHHH.D(Hfor hex,Dfor dec) within the directory/etc/ssl/certs.Such symlink
/usr/lib/ssl/certs.pem -> /etc/ssl/certs/ca-certificates.crtis provided in the package "openssl" starting from noble. It is verified to work for the same case in a rock built with a noble base.Therefore, we providing a symlink
/usr/lib/ssl/certs.pem -> /etc/ssl/certs/ca-certificates.crtis the only solution for now, though it deviates a bit from the behaviour of the package "openssl".FYI: @letFunny
Related issues/PRs
ca-certificatesis incompatible with OpenSSL #257Forward porting
#273
Checklist