Skip to content

Commit

Permalink
chore(security)!: Remove legacy OpenSSL provider flags (#19015)
Browse files Browse the repository at this point in the history
* chore(security)!: Remove legacy OpenSSL provider flags

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>

* Remove trailing newline

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>

---------

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>
  • Loading branch information
jszwedko authored Nov 2, 2023
1 parent 2501049 commit 2bba40a
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 57 deletions.
1 change: 0 additions & 1 deletion docs/DEPRECATIONS.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,3 @@ See [DEPRECATION.md](docs/DEPRECATION.md#process) for the process for updating t
## To be removed

* datadog_v1_metrics v0.35.0 Support for `v1` series endpoint in the `datadog_metrics` sink should be removed.
* legacy_openssl_provider v0.34.0 OpenSSL legacy provider flag should be removed
36 changes: 0 additions & 36 deletions src/app.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ use futures::StreamExt;
#[cfg(feature = "enterprise")]
use futures_util::future::BoxFuture;
use once_cell::race::OnceNonZeroUsize;
use openssl::provider::Provider;
use tokio::runtime::{self, Runtime};
use tokio_stream::wrappers::UnboundedReceiverStream;

Expand Down Expand Up @@ -58,7 +57,6 @@ pub struct Application {
pub require_healthy: Option<bool>,
pub config: ApplicationConfig,
pub signals: SignalPair,
pub openssl_providers: Option<Vec<Provider>>,
}

impl ApplicationConfig {
Expand Down Expand Up @@ -196,12 +194,6 @@ impl Application {
debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL.");
}

let openssl_providers = opts
.root
.openssl_legacy_provider
.then(load_openssl_legacy_providers)
.transpose()?;

let runtime = build_runtime(opts.root.threads, "vector-worker")?;

// Signal handler for OS and provider messages.
Expand All @@ -222,7 +214,6 @@ impl Application {
require_healthy: opts.root.require_healthy,
config,
signals,
openssl_providers,
},
))
}
Expand All @@ -239,7 +230,6 @@ impl Application {
require_healthy,
config,
signals,
openssl_providers,
} = self;

let topology_controller = SharedTopologyController::new(TopologyController {
Expand All @@ -258,7 +248,6 @@ impl Application {
graceful_crash_receiver: config.graceful_crash_receiver,
signals,
topology_controller,
openssl_providers,
})
}
}
Expand All @@ -269,7 +258,6 @@ pub struct StartedApplication {
pub graceful_crash_receiver: ShutdownErrorReceiver,
pub signals: SignalPair,
pub topology_controller: SharedTopologyController,
pub openssl_providers: Option<Vec<Provider>>,
}

impl StartedApplication {
Expand All @@ -283,7 +271,6 @@ impl StartedApplication {
graceful_crash_receiver,
signals,
topology_controller,
openssl_providers,
internal_topologies,
} = self;

Expand Down Expand Up @@ -316,7 +303,6 @@ impl StartedApplication {
signal,
signal_rx,
topology_controller,
openssl_providers,
internal_topologies,
}
}
Expand Down Expand Up @@ -372,7 +358,6 @@ pub struct FinishedApplication {
pub signal: SignalTo,
pub signal_rx: SignalRx,
pub topology_controller: SharedTopologyController,
pub openssl_providers: Option<Vec<Provider>>,
pub internal_topologies: Vec<RunningTopology>,
}

Expand All @@ -382,7 +367,6 @@ impl FinishedApplication {
signal,
signal_rx,
topology_controller,
openssl_providers,
internal_topologies,
} = self;

Expand All @@ -403,7 +387,6 @@ impl FinishedApplication {
topology.stop().await;
}

drop(openssl_providers);
status
}

Expand Down Expand Up @@ -585,22 +568,3 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64)
);
info!(message = "Log level is enabled.", level = ?level);
}

/// Load the legacy OpenSSL provider.
///
/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it
/// will be unloaded when it is dropped.
pub fn load_openssl_legacy_providers() -> Result<Vec<Provider>, ExitCode> {
warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use. Set `--openssl-legacy-provider=false` or `VECTOR_OPENSSL_LEGACY_PROVIDER=false` to disable. See https://vector.dev/highlights/2023-08-15-0-32-0-upgrade-guide/#legacy-openssl for details.");
["legacy", "default"].into_iter().map(|provider_name| {
Provider::try_load(None, provider_name, true)
.map(|provider| {
info!(message = "Loaded openssl provider.", provider = provider_name);
provider
})
.map_err(|error| {
error!(message = "Failed to load openssl provider.", provider = provider_name, %error);
exitcode::UNAVAILABLE
})
}).collect()
}
12 changes: 0 additions & 12 deletions src/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -197,18 +197,6 @@ pub struct RootOpts {
)]
pub allocation_tracing_reporting_interval_ms: u64,

/// Load the OpenSSL legacy provider.
#[arg(
long,
env = "VECTOR_OPENSSL_LEGACY_PROVIDER",
default_value = "false",
default_missing_value = "false",
num_args = 0..=1,
require_equals = true,
action = ArgAction::Set
)]
pub openssl_legacy_provider: bool,

/// Disable probing and configuration of root certificate locations on the system for OpenSSL.
///
/// The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables
Expand Down
10 changes: 10 additions & 0 deletions website/content/en/highlights/2023-11-07-0-34-0-upgrade-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ Vector's 0.34.0 release includes **breaking changes**:
1. [Removal of Deprecated Metrics Replaced by `component_errors_total`](#deprecated-component-errors-total-metrics)
1. [Removal of `peer_addr` Metric Tag](#remove-peer-addr)
1. [Blackhole sink no longer reports by default](#blackhole-sink-reporting)
1. [Remove direct OpenSSL legacy provider support](#openssl-legacy-provider)


We cover them below to help you upgrade quickly:
Expand Down Expand Up @@ -91,3 +92,12 @@ The `peer_addr` tag has been removed from the `component_received_bytes_total` i
The `blackhole` sink no longer reports events processed every second by default. Instead this
behavior can be opted into by setting `print_interval_secs` to `1` (or any other integer). This
change was made due to users being surprised that this sink generates output by default.

#### Remove direct OpenSSL legacy provider support {#openssl-legacy-provider}

In this release, we drop support for enabling the OpenSSL legacy provider via
`--openssl-legacy-provider` (and its environment variable: `VECTOR_OPENSSL_LEGACY_PROVIDER`). This
flag was deprecated in v0.33.0.

The legacy OpenSSL provider (and other providers than the default provider) can still be enabled if
desired through [options in OpenSSL's configuration](/docs/reference/configuration/tls)
8 changes: 0 additions & 8 deletions website/cue/reference/cli.cue
Original file line number Diff line number Diff line change
Expand Up @@ -113,10 +113,6 @@ cli: {
description: env_vars.VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT.description
env_var: "VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT"
}
"openssl-legacy-provider": {
description: env_vars.VECTOR_OPENSSL_LEGACY_PROVIDER.description
env_var: "VECTOR_OPENSSL_LEGACY_PROVIDER"
}
"openssl-no-probe": {
description: env_vars.VECTOR_OPENSSL_NO_PROBE.description
env_var: "VECTOR_OPENSSL_NO_PROBE"
Expand Down Expand Up @@ -632,10 +628,6 @@ cli: {
description: "Never time out while waiting for graceful shutdown after SIGINT or SIGTERM received. This is useful when you would like for Vector to attempt to send data until terminated by a SIGKILL. Overrides/cannot be set with `--graceful-shutdown-limit-secs`."
type: bool: default: false
}
VECTOR_OPENSSL_LEGACY_PROVIDER: {
description: "Load the OpenSSL legacy provider."
type: bool: default: false
}
VECTOR_OPENSSL_NO_PROBE: {
description: """
Disable probing and configuration of root certificate locations on the system for OpenSSL.
Expand Down

0 comments on commit 2bba40a

Please sign in to comment.