Fix GitHub CI: hard-pin OpenSSL to tag openssl-3.6.0 #490
Conversation
|
Unfortunately, we will have to disable support for the master OpenSSL branch for now :/ |
|
np |
VladGud
force-pushed
the
fix-github-ci
branch
from
9a62212 to
dffafe4
Compare
VladGud
force-pushed
the
fix-github-ci
branch
from
dffafe4 to
b21e538
Compare
Also, we’ll need to disable the x86 build for now too, since the OpenSSL 3.6.0 build bug seems to be fixed only in upstream so far: openssl/openssl#28745 |
|
in theory we can move x86 jobs to scheduled (weekly?) ci in order not to forget. |
Yes, sure. But I have a counter-proposal: we can run all jobs in this file once a week including the master jobs. It may be unnecessary for the stable jobs, but it is useful for the master jobs. |
|
Would be useful to know the reason why CI is disabled, except it's being "unfortunately". |
The main reason is that the engine architecture is being removed from upstream OpenSSL in the upcoming release. Our colleagues from the gost-engine project have politely indicated this as well (see their note here: openssl/openssl#29303 (comment)). As we understand it, the ENGINE interface will be completely removed in OpenSSL 4.0. At the moment it is still possible to build against the OpenSSL master branch using the legacy interface by enabling OPENSSL_NO_DEPRECATED_3_0 (reference: We plan to update gost-engine (in particular the gost-provider) to remove its dependency on the legacy ENGINE interface, so that we can support upstream OpenSSL without workarounds. |
|
Thanks for explanation. Would be good to have reason defined in the commit message. (Also, as I remember, only the low level algorithms are supported via gost provider, not the TLS level.) |
You are right that the provider interface itself focuses on low-level cryptographic operations rather than TLS logic. However, OpenSSL also provides a mechanism for providers to advertise additional metadata about their capabilities — so-called provider capabilities. These capabilities allow a provider to declare what algorithms, key types, or TLS groups it supports (see: https://docs.openssl.org/master/man7/provider-base/#tls-group-capability). Using this mechanism (example: Line 8 in 36ce16f We aim to achieve full TLS 1.3 support through the gost-provider without using the legacy ENGINE interface. TLS 1.2 support in the provider model will need more changes in gost-provider and in OpenSSL. |
…er and x86 job OpenSSL disables ENGINE support starting from commit 8e9771c. OpenSSL 3.6.0 contains a build bug (openssl/openssl#28745). The fix was added to upstream, but ENGINE support has already been removed there.
VladGud
force-pushed
the
fix-github-ci
branch
from
b21e538 to
8047a9c
Compare
I set the master and x86 jobs to run weekly so we do not forget to fix them. |
|
thanks! I also concerned on couple of failures, but didn't have time to have a look |
These problems are caused by connection filtering on the Infotecs test server. The same commit passed the gcc test on my local setup: https://github.com/VladGud/engine/actions/runs/20169612752/job/57901586075. The results are unstable. You can try rerunning the failed tests a few times. |
3 participants
No description provided.