Failed build using OpenSSL 3.0.0

[mkulik-rh]

ProxySQL version: 2.3.1 OS: Fedora RH

ProxySQL fails to build using version 3.0.0 of OpenSSL. Here is file that causes an error:

/src/proxy_tls.cpp

CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);

Error message:

proxy_tls.cpp: In function 'int ProxySQL_create_or_load_TLS(bool, std::string&)':
proxy_tls.cpp:468:25: error: 'CRYPTO_MEM_CHECK_OFF' was not declared in this scope
  468 |         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
      |                         ^~~~~~~~~~~~~~~~~~~~
proxy_tls.cpp:468:9: error: 'CRYPTO_mem_ctrl' was not declared in this scope; did you mean 'CRYPTO_memcmp'?
  468 |         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
      |         ^~~~~~~~~~~~~~~
      |         CRYPTO_memcmp
make[1]: *** [Makefile:123: obj/proxy_tls.o] Error 1
make[1]: Leaving directory '/home/mkulik/rpmbuild/BUILD/proxysql-2.3.1/src'
make: *** [Makefile:90: build_src] Error 2

CRYPTO_mem_ctrl in OpenSSL 3.0.0 is marked as deprecated and will return -1 (error).

Here is description message from OpenSSL 3.0.0 regarding this functionality:

The memory-leak checking has been deprecated in OpenSSL 3.0 in favor of clang's memory and leak sanitizer.

No other critical errors occurred during build process with OpenSSL 3.0.0.

[renecannao]

Hi Mark. ProxySQL is statically linked against OpenSSL 1.1.1 . Therefore my question is how are you building against OpenSSL 3 ?

[FaramosCZ]

Hi, Since Fedora packaging Guidelines do not allow bundling of the libraries in most cases, we have to de-bundle them. https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling

You can always check the current code of the Fedora package here: https://src.fedoraproject.org/rpms/proxysql/tree/rawhide

And the file you are asking about is most likely the de-bundle patch: https://src.fedoraproject.org/rpms/proxysql/blob/rawhide/f/proxysql_debundle.patch

The update to OpenSSL 3.0 is a major change in the Fedora Linux development branch (Rawhide) https://fedoraproject.org/wiki/Changes/OpenSSL3.0

ALL software in Fedora will have to deal with the change sooner or later. Fedora Linux is just a distro that is known to push forward (in technology) and adopt such changes among the first.

That's the general answer. @mkulik-rh can dive into the details.

[renecannao]

Hi @FaramosCZ . Thank you for the details.

What I meant is that ProxySQL doesn't dynamic link against the OpenSSL installed, but it is statically linked with OpenSSL in the dependencies library: https://github.com/sysown/proxysql/tree/v2.x/deps/libssl

In other words, it shouldn't matter at all which OpenSSL is installed. Did you get any other error while compiling?

If you let us know which Fedora version you are using, we can try to compile ourselves.

[mkulik-rh]

Hi @renecannao,

Fedora packaging Guidelines does not allow bundling common libraries like OpenSSL, SQLite3.. not allowing is probably not the right choice of words but it is discouraged. There are of course exception but usually static linking should be avoided if possible.

With release of OpenSSL 3.0.0 we are testing all packages for potential problems that will cause problem in a next release of Fedora.

ProxySQL builds distributed in Fedora official repositories are modified to dynamically link with OpenSSL and other libraries. More information about this can be found in links provided by @FaramosCZ.

I raised this issue to inform upstream about issues regarding compatibility with new version of OpenSSL. Version 3.0.0 is a major release that introduces many (potentially) breaking changes that we try to detect during our validation/fixing process. Branch 1.1.x of OpenSSL will be supported for next 2 years so this is not high concern issue for ProxySQL since it's using bundled version of OpenSSL by default, although I would treat this issue as a good estimation of effort (or part of it) to update code to OpenSSL 3.x branch in the future.

[mkulik-rh]

Closing.

Fixed by https://github.com/sysown/proxysql/commit/fd16e583ac1a9db5af62079c349a2df80eac6557