normanmaurer
commented
7 months ago @klaren thanks a lot for the contribution... Did you sign our ICLA yet, https://netty.io/s/icla ?
Closed klaren closed 7 months ago
normanmaurer
commented
7 months ago @klaren thanks a lot for the contribution... Did you sign our ICLA yet, https://netty.io/s/icla ?
klaren
commented
7 months ago @normanmaurer yes, I signed it just before I created the PR.
normanmaurer
commented
7 months ago @klaren can you please check the build failures: https://github.com/netty/netty-tcnative/actions/runs/8658366916/job/23968334532?pr=867 ?
klaren
commented
7 months ago @normanmaurer Minor typo, should be fixed now.
normanmaurer
commented
7 months ago Thanks a lot @klaren
Motivation:
The
openssl-dynamicmodule only compiles against OpenSSL 1.x.Modifications:
The most significant change is that one no longer needs to provide DH parameters manually. By calling
SSL_CTX_set_dh_auto(), OpenSSL will use the built-in parameters that match the key pair size. E.g. RSA 2048 will use DH 2048 and so on.The property
jdk.tls.ephemeralDHKeySize, which was used to affect the size of the DH parameters before, will be ignored when using the dynamically linked OpenSSL. Instead, the system OpenSSL library's config will be used.Another change is how FIPS is managed because OpenSSL 3 introduces a "Provider" concept. The
FIPS_mode_setis removed and is now replaced withEVP_default_properties_enable_fipswhich instructs OpenSSL to load the FIPS compliant provider, if no provider is explicitly requested.Result:
The
openssl-dynamicmodule can now successfully compile and run with OpenSSL 3.x.This only makes the necessary changes to the code. There is still the question of how this should be published(if at all?) since it has to be a separate artifact from the 1.x version. Some alternatives I see are
openssl3-dynamicmodule.