Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER: load legacy ssl provider via env var #921

Merged
merged 1 commit into from
Feb 15, 2024
Merged

BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER: load legacy ssl provider via env var #921

merged 1 commit into from
Feb 15, 2024

Conversation

sophiewigmore
Copy link
Member

@sophiewigmore sophiewigmore commented Feb 15, 2024
edited
Loading

As a follow on from #905, allow users to also load the legacy openssl provider on cflinuxfs4 via a new environment variable, BP_USE_LEGACY_OPENSSL. This can be passed directly when running cf push or via manifest.yml file

add support for new BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER environment variable

  • Enabling the new environment variable will load and active the legacy openssl provider on cflinuxfs4
  • Removes use_legacy_openssl buildpack.yml setting in favour of the environment variable

arjun024
arjun024 requested changes Feb 15, 2024
View reviewed changes
Copy link
Member

@arjun024 arjun024 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not very fond of BP_USE_LEGACY_OPENSSL because the buildpack is not really instructing the build to use legacy openssl.

  • It may be misconstrued as being instructed to use openssl1 or anything < openssl3
    OR
  • It may be misconstrued as being instructed to simply use the Openssl3 legacy provider - that's also not true. AFAIU, the config we add instructs openssl3 to load and activate the legacy provider in addition to the openssl3 default provider.[1]

How about something like BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER? If you think it's too long, trim the _PROVIDER suffix. The verb activate seems to be well known/used with openssl providers. Let's also document it in the CF documentation.

Other than the above, the PR LGTM.

Ref

  1. https://wiki.openssl.org/index.php/OpenSSL_3.0#Legacy_Algorithms:~:text=This%20is%20a%20minimal%20config%20file%20example%20to%20load%20and%20activate%20both%20the%20legacy%20and%20the%20default%20provider%20in%20the%20default%20library%20context.

@sophiewigmore
Copy link
Member Author

@arjun024 that's a great point. I didn't think about how misleading that could be. I like BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER, I think it's descriptive (although long). I know we've already released the buildpack.yml change with the name use_legacy_openssl, but do you think we should change that to be openssl_activate_legacy_provider as well?

add support for BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER
7b05a6b 
- Enabling the new environment variable will load and active the legacy
openssl provider
- Removes `use_legacy_openssl` buildpack.yml setting in favour of the
environment variable
@sophiewigmore sophiewigmore changed the title BP_USE_LEGACY_OPENSSL: load legacy ssl provider via env var BP_OPENSSL_ACTIVATE_LEGACY_PROVIDER: load legacy ssl provider via env var Feb 15, 2024
@sophiewigmore sophiewigmore merged commit 4ef12fd into develop Feb 15, 2024
7 checks passed
@sophiewigmore sophiewigmore deleted the legacy-ssl-env-var branch February 15, 2024 21:15
@sophiewigmore sophiewigmore mentioned this pull request Feb 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arjun024 arjun024 arjun024 approved these changes

@ForestEckhardt ForestEckhardt Awaiting requested review from ForestEckhardt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sophiewigmore @arjun024