Initial rebase onto 1.30.1 #162
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
…b89d846ec53f2) BoringSSL Commit ca1690e221677cea3fb946f324eb89d846ec53f2 Now in the bssl-compat/third_party/boringssl/ directory According to https://boringssl.googlesource.com/boringssl/+/HEAD/INCORPORATING.md Disabled the configure/build for BoringSSL because (1) it can't be done on all platforms, and (2) we no longer need to configure/build BoringSSL to obtain it's crypto_test_data.cc file because it is now checked in. Removed the pre installation of go into the builder image. This was only being done as a work around to support the BoringSSL configure/build, but that requirement has now gone. Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
…_rsa_key_usage Signed-off-by: Dario Cillerai <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Jonh Wendell <[email protected]>
Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Dario Cillerai <[email protected]>
* Only supports synchronous (pass or fail) verification, which is enough to accommodate the default certificate validator. * Also fixed/extended the implementation of SSL_get_peer_full_cert_chain() so that (1) it's return value now has the correct ownership semantics, and (2) it works in the context of a SSL_CTX_set_custom_verify() callback. Signed-off-by: Ted Poole <[email protected]>
…s options) Note that this really is a misuse of the "boringssl=fips" define, and the "nofips" tag. However, pretending that we are building on a FIPS version of BoringSSL has the side effect of compiling out QUIC support, which is what we want to achieve. At some point, when a newer version of BoringSSL FIPS does support building QUIC, this misuse of these options will almost certainly stop working. At that point, we will need to fix the //bazel:http3=False option. Signed-off-by: Ted Poole <[email protected]>
Signed-off-by: Daniel Grimm <[email protected]>
The previous one did not apply to the new commit Signed-off-by: Daniel Grimm <[email protected]>
We can now use the original OpenSSL functions as Envoy has stopped accessing the internal struct fields of BIO_METHOD (relevant change in Envoy was in 0ff3fcb). This change also removes our wrapper functions to deal with this behavior and the tests for them. Signed-off-by: Daniel Grimm <[email protected]>
Signed-off-by: Daniel Grimm <[email protected]>
|
These changes were AFAIK merged as part of #251. |
|
Closing this PR as we decided to go with 1.31 instead |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is taking Ted's work from his v1.28 branch, rebased onto upstream v1.30.1. It builds (by running
./openssl/run_envoy_docker.sh './openssl/do_ci.sh debug.server_only'), it kind of works, but it does log a bunch offunction xyz is unimplementedas some of the certificate checking in Envoy has moved from being optional to always enabled.TLS transport socket tests (run via
./openssl/run_envoy_docker.sh './openssl/do_ci.sh debug //test/extensions/transport_sockets/tls/...) passed. I have not been able to run many more tests yet due to problems with my environment.