OpenSSL version in Windows runners

[aantron]

Building on windows-latest, installing package ssl 0.7.0 as a dependency results in

# ssl_stubs.c:311:32: error: 'SSL_OP_NO_TLSv1_3' undeclared here (not in a function); did you mean 'SSL_OP_NO_TLSv1_1'?
#   311 |                                SSL_OP_NO_TLSv1_3};
#       |                                ^~~~~~~~~~~~~~~~~
#       |                                SSL_OP_NO_TLSv1_1
# ssl_stubs.c: In function 'get_method':
# ssl_stubs.c:319:14: warning: implicit declaration of function 'TLS_client_method'; did you mean 'DTLS_client_method'? [-Wimplicit-function-declaration]
#   319 |     method = TLS_client_method();
#       |              ^~~~~~~~~~~~~~~~~
#       |              DTLS_client_method
# ssl_stubs.c:319:12: warning: assignment to 'const SSL_METHOD *' {aka 'const struct ssl_method_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
#   319 |     method = TLS_client_method();
#       |            ^
# ssl_stubs.c:323:14: warning: implicit declaration of function 'TLS_server_method'; did you mean 'DTLS_server_method'? [-Wimplicit-function-declaration]
#   323 |     method = TLS_server_method();
#       |              ^~~~~~~~~~~~~~~~~
#       |              DTLS_server_method
# ssl_stubs.c:323:12: warning: assignment to 'const SSL_METHOD *' {aka 'const struct ssl_method_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
#   323 |     method = TLS_server_method();
#       |            ^
# ssl_stubs.c:327:14: warning: implicit declaration of function 'TLS_method'; did you mean 'DTLS_method'? [-Wimplicit-function-declaration]
#   327 |     method = TLS_method();
#       |              ^~~~~~~~~~
#       |              DTLS_method
# ssl_stubs.c:327:12: warning: assignment to 'const SSL_METHOD *' {aka 'const struct ssl_method_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
#   327 |     method = TLS_method();
#       |            ^
# ssl_stubs.c: In function 'ocaml_ssl_version_of_tls_version':
# ssl_stubs.c:358:8: error: 'TLS1_3_VERSION' undeclared (first use in this function); did you mean 'TLS1_2_VERSION'?
#   358 |   case TLS1_3_VERSION:
#       |        ^~~~~~~~~~~~~~
#       |        TLS1_2_VERSION
# ssl_stubs.c:358:8: note: each undeclared identifier is reported only once for each function it appears in
# ssl_stubs.c: In function 'tls_version_of_ocaml_ssl_version':
# ssl_stubs.c:391:11: error: 'TLS1_3_VERSION' undeclared (first use in this function); did you mean 'TLS1_2_VERSION'?
#   391 |     ret = TLS1_3_VERSION;
#       |           ^~~~~~~~~~~~~~
#       |           TLS1_2_VERSION
# ssl_stubs.c: In function 'ocaml_ssl_ctx_set_min_proto_version':
# ssl_stubs.c:413:8: warning: implicit declaration of function 'SSL_CTX_set_min_proto_version'; did you mean 'ocaml_ssl_ctx_set_min_proto_version'? [-Wimplicit-function-declaration]
#   413 |   if (!SSL_CTX_set_min_proto_version(ssl_context, ssl_protocol)) {
#       |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |        ocaml_ssl_ctx_set_min_proto_version
# ssl_stubs.c: In function 'ocaml_ssl_ctx_get_min_proto_version':
# ssl_stubs.c:425:21: warning: implicit declaration of function 'SSL_CTX_get_min_proto_version'; did you mean 'ocaml_ssl_ctx_get_min_proto_version'? [-Wimplicit-function-declaration]
#   425 |   int tls_version = SSL_CTX_get_min_proto_version(ssl_context);
#       |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |                     ocaml_ssl_ctx_get_min_proto_version
# ssl_stubs.c: In function 'ocaml_ssl_ctx_set_max_proto_version':
# ssl_stubs.c:[453](https://github.com/aantron/dream/actions/runs/10683497296/job/29611702223?pr=337#step:5:454):8: warning: implicit declaration of function 'SSL_CTX_set_max_proto_version'; did you mean 'ocaml_ssl_ctx_set_max_proto_version'? [-Wimplicit-function-declaration]
#   453 |   if (!SSL_CTX_set_max_proto_version(ssl_context, ssl_protocol)) {
#       |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |        ocaml_ssl_ctx_set_max_proto_version
# ssl_stubs.c: In function 'ocaml_ssl_ctx_get_max_proto_version':
# ssl_stubs.c:465:21: warning: implicit declaration of function 'SSL_CTX_get_max_proto_version'; did you mean 'ocaml_ssl_ctx_get_max_proto_version'? [-Wimplicit-function-declaration]
#   465 |   int tls_version = SSL_CTX_get_max_proto_version(ssl_context);
#       |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#       |                     ocaml_ssl_ctx_get_max_proto_version
# ssl_stubs.c: In function 'set_protocol':
# ssl_stubs.c:485:19: error: 'TLS1_3_VERSION' undeclared (first use in this function); did you mean 'TLS1_2_VERSION'?
#   485 |   int max_proto = TLS1_3_VERSION;
#       |                   ^~~~~~~~~~~~~~
#       |                   TLS1_2_VERSION

We encountered this during aantron/dream#337, I've opened savonet/ocaml-ssl#155 and savonet/ocaml-ssl#156 to try to observe it from the ssl repo. It appears that an old version of libssl is being used, pre-1.1.1. Do you know where the libssl that is being linked with is coming from? Is this something that should be addressed by setup-ocaml?

[aantron]

We've reproduced this in the ocaml-ssl repo with @anmonteiro in savonet/ocaml-ssl#156, with the log here. Could you comment on what is needed to link against a modern libssl in the Windows runners with setup-ocaml, as this would be needed for testing any relatively serious networked application in GitHub Actions, not just in Dream?

[vouillon]

It seems Github Actions are stuck with a very old version of OpenSSL: actions/runner-images#6830

[aantron]

Is setup-ocaml linking against some OpenSSL installed by Cygwin, or some kind of more "native" OpenSSL on Windows?

[smorimoto]

Rather than setup-ocaml; opam is linking against to OpenSSL installed by Cygwin. It should be more of an issue on the savonet/ocaml-ssl side, and should work if proper support is added. CC: @dra27

[aantron]

This would seem to be an issue with which OpenSSL is installed by Cygwin, in that case, and what conf-libssl is doing.