TlsConnector fails to be built on some versions of openssl

sfackler / rust-native-tls

Apache License 2.0

470 stars 195 forks source link

TlsConnector fails to be built on some versions of openssl #203

Closed xd009642 closed 3 years ago

xd009642 commented 3 years ago

So I have the following inadvisable code for a private cloud with no external internet access:

let tls_connector = TlsConnector::builder()
    .danger_accept_invalid_certs(true)
    .build()
    .expect("Failed to build the TLS connector");

And with openssl version which outputs OpenSSL 1.1.1f 31 Mar 2020 I get:

thread 'main' panicked at 'Failed to build the TLS connector: Normal(ErrorStack([]))', model-arts/src/lib.rs:135:22

However, with version 1.1.1k the connector builds and then the code works as expected. Just wondering if this there's a way I can get this to work across any 1.1.1x versions?

sfackler commented 3 years ago

I am not aware of any versions of OpenSSL newer than 1.0.1 that don't work with TlsConnector. Can you create a self contained example that reproduces this behavior?

xd009642 commented 3 years ago

I'm working on it but haven't managed to reproduce it outside the project yet. A colleague has been getting segfaults and attached GDB and found:

Thread 1 "project_name" received signal SIGSEGV, Segmentation fault.
0x00007ffff3f727a1 in bssl::ssl_cert_clear_certs(bssl::CERT*) () from /opt/tensorflow/lib/libtensorflow_framework.so

I'm guessing tensorflow which we also use is causing some weird interaction... I'll dig deeper and see if I can figure it out.

Just to clarify they aren't having an issue with native-tls but having a different segfault during initialisation and I'm getting this during initialisation. And I'm slightly assuming the sudden failure may be related

sfackler commented 3 years ago

IIRC tensorflow uses its own statically linked build of BoringSSL but doesn't properly hide the symbols, so if you try to link in an OpenSSL as well wires get crossed and things break.

xd009642 commented 3 years ago

Okay that's good to know, it's a bit strange how we're using hyper_tls, native-tls and tensorflow in 5 other projects with no issues. But that might be down to some slight version mismatch :thinking:. I can't really avoid tensorflow so I'll see if I can move to rustls and sidestep the issue

xd009642 commented 3 years ago

So moving to rustls fixed my issue and I wasn't able to reproduce the issue on a small project on my system with just native-tls in so some issues with openssl and some other native library seem most likely.