Closed FedericoCeratto closed 1 year ago
I think ideally we want something that is pluggable and allows libraries to implement other SSL libraries.
Edit: re-reading my own message I think this is off-topic. I'll hide it.
For reference, we use https://github.com/status-im/nim-bearssl which "just works" without dll:s etc as the C library gets built together with the nim code.
When using a solution like that, it's also important that SSL support is separated from the std library distribution so as to allow critical security updates to happen on a different cadence.
TLS support is part of the standard library. Of course the library implementing TLS is dynamically linked and can be updated independently from the Nim compiler and from the applications/libraries written in Nim.
Pluggable TLS implementations are discussed in #14719
I'm preparing a PR. I hope people will be OK with dropping support for OpenSSL < 1.1.0 The 1.1.0 release train started on August 2016 Please feel free to vote this message thumbs up for dropping older versions or down otherwise.
Additional datapoint: Python even dropped support for OpenSSL < 1.1.1 and does not support LibreSSL: https://peps.python.org/pep-0644/
Ran into this when trying to use nimble on a vanilla nim:latest docker image
Supporting OSX is more tricky than I expected as it needs to use the library shipped by brew. Also at the moment the tests are failing with an unclear error. Anybody willing to help?
As I've tried to tell you on discord, I get this error:
FAIL: tests/async/tasyncssl.nim c ( 1.83 sec)
Test "tests/async/tasyncssl.nim" in category "async"
Failure: reExitcodesDiffer
Expected:
exitcode: 0
Gotten:
exitcode: 1
Output:
WARNING: nim/tests/async/tasyncssl is loading libcrypto in an unsafe way
No stack traceback available
SIGABRT: Abnormal termination.
I searched for the "in an unsafe way", but without much luck.
Status update: This PR was partially reverted in https://github.com/nim-lang/Nim/pull/20341 and was not included in Nim 1.6.8
OpenSSL 3 has been released on Sep 7th, 2021 ( https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/ ) and it's being adopted by various platforms ( https://repology.org/project/openssl/versions ) As such Nim cannot be shipped in the rolling/development version of Linux distributions including Debian, Ubuntu, openSUSE Tumbleweed etc.
I confirm that this issue of Nim has kicked a lot of packages from Debian testing. It would be really cool if this could be fixed soon. Thanks a lot, Andreas.
As such Nim cannot be shipped in the rolling/development version of Linux distributions including Debian, Ubuntu, openSUSE Tumbleweed etc.
While I understand your frustration and I support adding support for OpenSSL 3, right now almost no distributions ship with OpenSSL 3 only. Most Linux distros still ship with OpenSSL 1.1 by default - even Arch, openSUSE Tumbleweed. And distros like Debian Sid do ship with OpenSSL 3 by default, but they also have OpenSSL 1 in their repos, while Ubuntu is the only exception that doesn't do that.
While I understand your frustration and I support adding support for OpenSSL 3, right now almost no distributions ship with OpenSSL 3 only. Most Linux distros still ship with OpenSSL 1.1 by default - even Arch, openSUSE Tumbleweed. And distros like Debian Sid do ship with OpenSSL 3 by default, but they also have OpenSSL 1 in their repos, while Ubuntu is the only exception that doesn't do that.
Upcoming Fedora 37 release in October will deprecate openssl1.1 package. Even now, Fedora 36 uses OpenSSL 3 as default. https://fedoraproject.org/wiki/Releases/37/ChangeSet#Deprecate_openssl1.1_package
Hopefully resolved by #20668 and #20669 (for 1.6).
For the record #20341 did not remove openssl 3 support. It was opt-in with #19814 and kept that way, the default behavior was just made more biased toward older versions. It is no longer opt-in, it should now work by default along with other supported versions.
OpenSSL 3 introduces many changes and removes various deprecated functions.
Announcement: https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/ Migration guide: https://www.openssl.org/docs/man3.0/man7/migration_guide.html Partial list of missing symbols: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006989
Another option would be to switch to a different library: https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations