Hi everyone, firstly apologies if this is the wrong place to open a discussion on this. I referenced previous work done by the /envoy-openssl integration project in attempting to port BoringSSL into Envoy, and I think we ran into a lot of similar issues, at least according to the roadmap published.
What I'm Trying To Do
I'm currently working on an open source implementation of a post-quantum enabled service mesh. This effort is in 3 parts:
Nginx-oqs (finished in march of this year)
Envoy (in progress)
Istio (contingent on completion of envoy)
Nginx was fairly straightforward to port the OpenSSL-OQS fork, but Envoy is giving me some trouble. Envoy is incompatible with OpenSSL (there is a team working on fixing this currently), so I had to use the BoringSSL-OQS fork
The last updated Boringssl-OQS main-with-bazel was from 2019, so I forked it and added the siphash.h file needed by Envoy.
A few other modifications I needed to make in the Envoy fork I'm modifying:
Disable jwt-auth
Disable QUIC to side-step Quiche compatibility issues
Envoy successfully builds with my modifications
Here are the commands I used to generate the self-signed CA cert and the server cert as per the instructions on the OpenSSL-OQS page. I have tried them with all combinations of standard/OQS/hybrid for both the CA cert and the server cert
I can confirm my build works by passing RSA certs and keys generated using the OQS-OpenSSL fork. The HTTPS server successfully performs the TLS handshake, and I am able to reach HTTP upstream.
How It's Not Working 1: "Cannot Load Certificate Chain"
If I pass the (hybrid or OQS) server cert to Envoy, I get this error:
I have tracked it down to this portion of the Envoy source code:
Here is a diagram of the functions and their locations in the Envoy and BoringSSL source code:
How It's Not Working 2: "Unsupported Algorithm"
If I pass the (RSA) root CA cert to Envoy with the (hybrid or OQS) key, I am faced with this error instead
Questions
If anyone is curious and wants to reproduce this, the instructions are on this repo I have set up.
At this point, I feel like there may be something catastrophically important I'm missing about either BoringSSL/OpenSSL, Envoy, or just software development in general
I would love any and all feedback/advice/thoughts/criticism about why this may be happening, and what I can do to fix this
Hi everyone, firstly apologies if this is the wrong place to open a discussion on this. I referenced previous work done by the /envoy-openssl integration project in attempting to port BoringSSL into Envoy, and I think we ran into a lot of similar issues, at least according to the roadmap published.
What I'm Trying To Do
I'm currently working on an open source implementation of a post-quantum enabled service mesh. This effort is in 3 parts:
Nginx was fairly straightforward to port the OpenSSL-OQS fork, but Envoy is giving me some trouble. Envoy is incompatible with OpenSSL (there is a team working on fixing this currently), so I had to use the BoringSSL-OQS fork
How I'm Doing it
To update BoringSSL for envoy, specifically the "main-with-bazel" branch must be used:
The last updated Boringssl-OQS main-with-bazel was from 2019, so I forked it and added the siphash.h file needed by Envoy.
A few other modifications I needed to make in the Envoy fork I'm modifying:
Envoy successfully builds with my modifications
Here are the commands I used to generate the self-signed CA cert and the server cert as per the instructions on the OpenSSL-OQS page. I have tried them with all combinations of standard/OQS/hybrid for both the CA cert and the server cert
How It's Working: Standard RSA
I can confirm my build works by passing RSA certs and keys generated using the OQS-OpenSSL fork. The HTTPS server successfully performs the TLS handshake, and I am able to reach HTTP upstream.
How It's Not Working 1: "Cannot Load Certificate Chain"
If I pass the (hybrid or OQS) server cert to Envoy, I get this error:
I have tracked it down to this portion of the Envoy source code:
Here is a diagram of the functions and their locations in the Envoy and BoringSSL source code:
How It's Not Working 2: "Unsupported Algorithm"
If I pass the (RSA) root CA cert to Envoy with the (hybrid or OQS) key, I am faced with this error instead
Questions
If anyone is curious and wants to reproduce this, the instructions are on this repo I have set up.
At this point, I feel like there may be something catastrophically important I'm missing about either BoringSSL/OpenSSL, Envoy, or just software development in general
I would love any and all feedback/advice/thoughts/criticism about why this may be happening, and what I can do to fix this