-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): refactor the openssl provider option so it is usable #18261
Conversation
This commit re-implements the `--openssl-legacy-provider` (bool) into `--openssl-provider` (enum). Previously, the option default was set to `true` and there was no way to switch it to `false` using the CLI argument because the arg action by default is `SetTrue`. The associated environment variable was the only way to turn the legacy provider on or off. To avoid a potentially non-intuitive falsey `--openssl-no-legacy-provider` boolean option, it is now re-implemented as an enum option with all the possible built-in OpenSSL 3.1 implementation providers. The default was kept as `legacy` to remain consistent with the previous behavior. OpenSSL 3.1 reference: <https://www.openssl.org/docs/man3.1/man7/crypto.html> (OPENSSL PROVIDERS) Signed-off-by: Hugo Hromic <hhromic@gmail.com>
✅ Deploy Preview for vector-project ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview for vrl-playground canceled.
|
Signed-off-by: Hugo Hromic <hhromic@gmail.com>
A bit more context. The original implementation was in PR #17669, where the default was originally |
Thanks for this @hhromic ! This does seem like a more flexible approach. This is another motivator to do release candidates to flag this sort of thing earlier. It does seem like there isn't a way to disable it using the CLI flag. I was expecting
I had actually meant to add it as a highlight, but completely forgot. I'm putting that together now. Given it has technically been released, even if not particularly highlighted yet, I think we have to leave the flag in and remove it in 0.33.0 instead to meet user expectations for compatibility. For the purposes of your PR I think that would mean:
In the future I think we can remove What do you think? |
Hey @jszwedko , thanks for your comment/input !
Yep. Exactly how I realized it was not working too :). The issue is that the attribute for this variable is boolean, so it does not take a value. The available actions for boolean arguments are
The existing flag is fully broken because it doesn't do anything. I am confident nobody is using it or will not be able to use it. I honestly think that we can get rid of it without any harm. The environment variable Modifying the attribute/flag to accept values and then parse In summary, I believe we can get away with renaming/changing the argument flag like I did in this PR as long as we preserve the funcionality of the Maybe you can add a known-issue for 0.32.0 for this flag and mention that it will be refactored in the next version?
See above. I think the simplest approach would be for me to implement backwards compatibility for the What do you think? |
Hi @hhromic, Thank you for bringing this to our attention and for implementing a fix. For the sake of time and addressing a related issue, I made a separate PR fixing the existing cli arg (#18276) to avoid breaking backwards compatibility. Going forward, I like your proposed changes. Given that a user can and sometimes would like to load multiple providers, I think we should change |
Ah, I didn't think that you can chain providers. I thought that you are supposed to load one at a time. |
Ah you are right, it is possible to combine them. I'll do that then! |
Hey @dsmith3197 @jszwedko , Given that I gave this more thought and I am not sure having the ability to configure arbitrary SSL providers is truly useful to users after all. The only potential use case could be enabling the FIPS provider but I think it would be better to implement it using a dedicated All that being said, let me know if I should simply close this PR for now. No worries! |
Hey @hhromic, I think I agree with your assessment overall. Implementing / assessing proper FIPS support for Vector will take some effort, particularly because some of the crates we use depend upon tls crates other than openssl. I think we can close this PR for now. Thank you for all your help! |
I personally think this PR would still be useful to as it allow users to configure the FIPS provider. Granted I agree that there is more work to be done to make Vector totally FIPS compliant but it could be a stepping stone and sufficient for some users to satisfy their requirements. It would also future proof Vector to let users use custom providers, once those exist more in the wild. Per the OpenSSL docs:
It will also allow users who want to use the legacy provider after it is removed from Vector's default providers, to do so. What do you think @hhromic ? Would you be open to pushing this PR forward if you agree? Otherwise I can open an issue for us to follow up on. |
After taking a closer look to the OpenSSL FIPS module documentation, it is clear that the recommended approach is to configure OpenSSL on the system (e.g. in I just did a quick check and Vector's vendored OpenSSL module seems to try to read a system configuration file by default:
That default location is likely missing in most environments, however it can be customised and Vector does pick it up:
In other words, I think Vector actually already fully supports FIPS and any openssl providers via configuration this way :) This also means that users wanting to use the legacy provider, could have done so via OpenSSL configuration without even needing the temporary If you agree, I can do some experiments and tests and submit a documentation PR explaining how to leverage configuring OpenSSL externally to Vector for advanced setups. This keeps Vector code less polluted too. |
Out of curiosity/challenge I went ahead and managed to prove my own prediction:
First, create a self-signed certificate/key pair for testing (make sure you are using OpenSSL 3.x tools!):
Then, create a PKCS#12 file from the above using LEGACY algorithms (notice the
Write down the password used to encrypt the file. For the example below, I just used For testing, consider the following Vector pipeline that will try to use the above PKCS#12 file: sources:
exec:
type: exec
command: ["printenv"]
mode: scheduled
sinks:
http:
type: http
inputs: ["exec"]
uri: https://localhost:1234
tls:
crt_file: certificate.p12
key_pass: "1234" # used in the "openssl pkcs12 ..." command
encoding:
codec: json If you run Vector with the above pipeline and the legacy provider disabled, it will NOT work (legacy alg not found):
Now, let's create an OpenSSL configuration file that enables the legacy provider OUTSIDE of Vector: openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1 If we run Vector again using the above configuration AND
It is true that an In this same manner, any OpenSSL setup (including using the FIPS module) can be used in Vector without needing any specific code in Vector itself to handle different advanced configurations. This is the way operators are supposed to configure applications with a single point of configuration when all of them use OpenSSL as the SSL/TLS library. TLDR; if an operator/user configures FIPS in the system via In summary, I think Vector should get rid of |
Coming from #18467 , I can't agree more that leveraging and adding doc about system openssl seems better approach overall. OpenSSL has plethora of options to configure, proxy those in vector can be tiresome and confusing. |
While checking the OpenSSL legacy provider CLI option, I realized that it is actually unusable.
Therefore, this PR re-implements the
--openssl-legacy-provider
(bool) into--openssl-provider
(enum).Previously, the option default was set to
true
and there was no way to switch it tofalse
using the CLI argument because the arg action by default isSetTrue
. The associated environment variable was the only way to turn the legacy provider on or off. To avoid a potentially non-intuitive falsey--openssl-no-legacy-provider
boolean option, it is now re-implemented as an enum option with all the possible built-in OpenSSL 3.1 implementation providers.The default was kept as
legacy
to remain consistent with the previous behavior.When the legacy provider is fully deprecated, we can simply switch the default for this option to
default
.Note that I decided to include all of the built-in OpenSSL providers for completeness, but I'm not sure if the Vector team and users really need them all. Please let me know if you want to scope the list of available providers to a smaller list.
This is a breaking change for users using the
VECTOR_OPENSSL_LEGACY_PROVIDER=false
environment variable. This flag was released in Vector 0.32.0 (today) but not announced in the highlights. So I'm not sure to flag this as a breaking change or not. The migration step after this PR would be to useVECTOR_OPENSSL_PROVIDER=default
.OpenSSL 3.1 reference: https://www.openssl.org/docs/man3.1/man7/crypto.html (OPENSSL PROVIDERS)