chore(deps): Bump OpenSSL base version to 3.1.* (#17669)

* chore(deps): Bump OpenSSL base version to 3.0.*

* update tag

* temporary test fix

* fix cross compile

* fix cross compile, centos only

* add force-engine feature

* fix fmtting

* add option for enabling legacy provider

* small nit

* feedback

* add deprecation warn message

---------

Co-authored-by: Doug Smith <doug.smith3197@gmail.com>

Author: bruceg

Cargo.lock

@@ -345,7 +345,7 @@ nix = { version = "0.26.2", default-features = false, features = ["socket", "sig
 [build-dependencies]
 prost-build = { version = "0.11", default-features = false, optional = true }
 tonic-build = { version = "0.9", default-features = false, features = ["transport", "prost"], optional = true }
-openssl-src = { version = "111", default-features = false, features = ["force-engine"] }
+openssl-src = { version = "300", default-features = false, features = ["force-engine", "legacy"] }
 
 [dev-dependencies]
 approx = "0.5.1"
@@ -381,6 +381,11 @@ nix = { git = "https://github.com/vectordotdev/nix.git", branch = "memfd/gnu/mus
 # The `heim` crates depend on `ntapi` 0.3.7 on Windows, but that version has an
 # unaligned access bug fixed in the following revision.
 ntapi = { git = "https://github.com/MSxDOS/ntapi.git", rev = "24fc1e47677fc9f6e38e5f154e6011dc9b270da6" }
+# The current `openssl-sys` crate will vendor the OpenSSL sources via
+# `openssl-src` at version 1.1.1*, but we want version 3.1.*. Bring in forked
+# version of that crate with the appropriate dependency patched in.
+openssl-sys = { git = "https://github.com/vectordotdev/rust-openssl.git", tag = "openssl-sys-v0.9.91+3.0.0" }
+openssl-src = { git = "https://github.com/vectordotdev/openssl-src-rs.git", tag = "release-300-force-engine+3.1.2"}
 
 [features]
 # Default features for *-unknown-linux-gnu and *-apple-darwin

Cargo.toml

@@ -630,6 +630,7 @@ mod test {
 
     #[test]
     fn from_options_pkcs12() {
+        let _provider = openssl::provider::Provider::try_load(None, "legacy", true).unwrap();
         let options = TlsConfig {
             crt_file: Some(TEST_PKCS12_PATH.into()),
             key_pass: Some("NOPASS".into()),

lib/vector-core/src/tls/settings.rs

@@ -3,3 +3,7 @@ set -o errexit
 
 yum install -y unzip centos-release-scl
 yum install -y llvm-toolset-7
+
+# needed to compile openssl
+yum install -y perl-IPC-Cmd
+

scripts/cross/bootstrap-centos.sh

@@ -8,6 +8,7 @@ use futures::StreamExt;
 #[cfg(feature = "enterprise")]
 use futures_util::future::BoxFuture;
 use once_cell::race::OnceNonZeroUsize;
+use openssl::provider::Provider;
 use tokio::{
     runtime::{self, Runtime},
     sync::mpsc,
@@ -61,6 +62,7 @@ pub struct Application {
     pub require_healthy: Option<bool>,
     pub config: ApplicationConfig,
     pub signals: SignalPair,
+    pub openssl_legacy_provider: Option<Provider>,
 }
 
 impl ApplicationConfig {
@@ -186,6 +188,12 @@ impl Application {
             opts.root.internal_log_rate_limit,
         );
 
+        let openssl_legacy_provider = opts
+            .root
+            .openssl_legacy_provider
+            .then(load_openssl_legacy_provider)
+            .flatten();
+
         let runtime = build_runtime(opts.root.threads, "vector-worker")?;
 
         // Signal handler for OS and provider messages.
@@ -206,6 +214,7 @@ impl Application {
                 require_healthy: opts.root.require_healthy,
                 config,
                 signals,
+                openssl_legacy_provider,
             },
         ))
     }
@@ -222,6 +231,7 @@ impl Application {
             require_healthy,
             config,
             signals,
+            openssl_legacy_provider,
         } = self;
 
         let topology_controller = SharedTopologyController::new(TopologyController {
@@ -239,6 +249,7 @@ impl Application {
             graceful_crash_receiver: config.graceful_crash_receiver,
             signals,
             topology_controller,
+            openssl_legacy_provider,
         })
     }
 }
@@ -248,6 +259,7 @@ pub struct StartedApplication {
     pub graceful_crash_receiver: mpsc::UnboundedReceiver<()>,
     pub signals: SignalPair,
     pub topology_controller: SharedTopologyController,
+    pub openssl_legacy_provider: Option<Provider>,
 }
 
 impl StartedApplication {
@@ -261,6 +273,7 @@ impl StartedApplication {
             graceful_crash_receiver,
             signals,
             topology_controller,
+            openssl_legacy_provider,
         } = self;
 
         let mut graceful_crash = UnboundedReceiverStream::new(graceful_crash_receiver);
@@ -315,6 +328,7 @@ impl StartedApplication {
             signal,
             signal_rx,
             topology_controller,
+            openssl_legacy_provider,
         }
     }
 }
@@ -323,6 +337,7 @@ pub struct FinishedApplication {
     pub signal: SignalTo,
     pub signal_rx: SignalRx,
     pub topology_controller: SharedTopologyController,
+    pub openssl_legacy_provider: Option<Provider>,
 }
 
 impl FinishedApplication {
@@ -331,6 +346,7 @@ impl FinishedApplication {
             signal,
             mut signal_rx,
             topology_controller,
+            openssl_legacy_provider,
         } = self;
 
         // At this point, we'll have the only reference to the shared topology controller and can
@@ -340,7 +356,7 @@ impl FinishedApplication {
             .expect("fail to unwrap topology controller")
             .into_inner();
 
-        match signal {
+        let status = match signal {
             SignalTo::Shutdown => {
                 emit!(VectorStopped);
                 tokio::select! {
@@ -382,7 +398,9 @@ impl FinishedApplication {
                 })
             }
             _ => unreachable!(),
-        }
+        };
+        drop(openssl_legacy_provider);
+        status
     }
 }
 
@@ -525,3 +543,18 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64)
     );
     info!(message = "Log level is enabled.", level = ?level);
 }
+
+/// Load the legacy OpenSSL provider.
+///
+/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it
+/// will be unloaded when it is dropped.
+pub fn load_openssl_legacy_provider() -> Option<Provider> {
+    warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use.");
+    Provider::try_load(None, "legacy", true)
+        .map(|provider| {
+            info!(message = "Loaded openssl legacy provider.");
+            provider
+        })
+        .map_err(|error| error!(message = "Failed to load openssl legacy provider.", %error))
+        .ok()
+}

src/app.rs

@@ -194,6 +194,10 @@ pub struct RootOpts {
         default_value = "5000"
     )]
     pub allocation_tracing_reporting_interval_ms: u64,
+
+    /// Load the OpenSSL legacy provider.
+    #[arg(long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", default_value = "true")]
+    pub openssl_legacy_provider: bool,
 }
 
 impl RootOpts {