Bootstrap 1.36 #407
Open
Bootstrap 1.36 #407
+2,416,690
−493
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds the complete bssl-compat library, which provides an implementation of the BoringSSL API on top of OpenSSL 3.0.x. This allows Envoy to be built against OpenSSL instead of BoringSSL. Key components: - prefixer tool: Generates OpenSSL header wrappers with ossl_ prefix - Mapping functions: Implement BoringSSL API using OpenSSL calls - Patch scripts: Control how BoringSSL headers are adapted - Test suite: Unit tests for compatibility layer functions - Build files: CMake and Bazel configuration The compatibility layer handles differences between BoringSSL and OpenSSL: - Opaque data structures requiring EVP functions - Different function signatures and return values - Macro and constant value differences - Structure layout compatibility 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> Signed-off-by: Jonh Wendell <[email protected]>
This commit adapts the Bazel build configuration to support building Envoy with OpenSSL instead of BoringSSL, and adds support for s390x and ppc64le architectures. Build system changes: - Add bssl-compat as local_repository in WORKSPACE - Configure OpenSSL as external dependency (bazel/external/openssl.BUILD) - Disable QUIC/HTTP3 support (uses boringssl=fips mode to exclude QUIC) - Add nofips tag filtering to exclude QUIC tests and code Multi-architecture support: - s390x patches: BoringSSL, Quiche, gRPC, proxy-wasm, rules_foreign_cc - ppc64le patches: V8, luajit2 support - Architecture-specific build flags for missing headers (hwcap.h) Dependency patches: - jwt_verify_lib: Handle OpenSSL opaque structures - proxy_wasm_cpp_host: Remove hardcoded -lcrypto on s390x - rules_foreign_cc: Build fixes for s390x - rules_go: ppc64le build support OpenSSL-specific configuration (openssl/bazelrc): - Test environment limited to IPv4 only - QUIC excluded via boringssl=fips define - LLVM/Clang paths for bssl-compat prefixer tool 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> Signed-off-by: Jonh Wendell <[email protected]>
This commit modifies Envoy's C++ source code to work with OpenSSL through the bssl-compat layer, handling differences in SSL/TLS implementations. TLS/SSL changes: - Handle OpenSSL opaque structures (use EVP functions instead of direct access) - Add RTLD_DEEPBIND flag when loading OpenSSL shared libraries - Fix alert code and error code mappings between BoringSSL and OpenSSL - Adjust default TLS versions, ciphers, and curves for FIPS compatibility - Add EAGAIN handling in SslSocket::doRead/doWrite methods - Fix BIO initialization and error handling Context and configuration: - Set TLSv1.3 as max version for FIPS mode - Implement SSL_CTX_set_compliance_policy for certificate validation - Remove calls to unimplemented BoringSSL-specific functions - Adjust certificate verification callbacks for OpenSSL Test adaptations: - Update expected fingerprints and byte counts to match OpenSSL - Fix test values for TLS inspector, JA4 fingerprinting - Adjust SSL version tests for OpenSSL defaults - Disable async certificate validation tests (not supported with OpenSSL) - Disable some QUIC tests (QUIC not supported in OpenSSL build) - Fix hot restart tests for OpenSSL version string Version reporting: - Report "OpenSSL" instead of "BoringSSL" in version string Build fixes: - Comment out QUIC code compilation where needed - Add -latomic linker flag for clang - Fix maxmind and luajit2 builds for s390x/ppc64le 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> Signed-off-by: Jonh Wendell <[email protected]>
This commit adds GitHub Actions workflows for continuous integration and automated synchronization with upstream Envoy, plus documentation updates. GitHub Actions workflows: - envoy-openssl.yml: CI pipeline for building and testing with OpenSSL - Runs on PR events only (not on push) - Uses standard Envoy build infrastructure - Includes disk cleanup step for CI environment - envoy-sync-scheduled.yaml: Automated upstream synchronization - Runs 4 times daily to merge from upstream Envoy - Creates auto-merge PRs for each release branch - Handles merge conflicts with issue creation - Auto-merges bot update PRs - envoy-openssl-auto-merge.yml: Additional merge automation - Handles bot-generated update PRs - Ensures timely integration of upstream changes Repository configuration: - Update CODEOWNERS to prevent upstream Envoy maintainers from getting review requests on envoy-openssl-specific changes - Remove .github/dependabot.yml to avoid dependency update conflicts - Update .gitignore for OpenSSL build artifacts Documentation: - Update README.md with envoy-openssl-specific build instructions - Document differences from upstream Envoy - Explain bssl-compat layer and OpenSSL requirements - Add architecture support information (s390x, ppc64le) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> Signed-off-by: Jonh Wendell <[email protected]>
It relies on `SSL_send_fatal_alert()` which is not implemented. Signed-off-by: Jonh Wendell <[email protected]>
dcillera
reviewed
Oct 24, 2025
There was a problem hiding this comment.
This file should be the same as in the upstream, keeping the envoy_select_enable_http3/disable_http3 and not using nofips tag. This flaw is present also in envoy_openssl 1.35.
dcillera
reviewed
Oct 24, 2025
There was a problem hiding this comment.
Remove RH (Red Hat) from the comments in this file and possibly replace with OpenSSL. This flaw is present also in envoy-openssl 1.35.
dcillera
reviewed
Oct 24, 2025
| } | ||
|
|
||
| TEST_P(TlsCertificateSelectorFactoryTest, Pending) { | ||
| // RH dcillera: disabled because it selects cert async |
There was a problem hiding this comment.
Remove RH (Red Hat) from the comment and possibly replace with OpenSSL. This flaw present also in envoy-openssl 1.35.
|
Since these are present in 1.35, I think we could fix them in a followup commit that could be cherry-picked between 1.35 and 1.36. What do you think? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.