Remove OpenSSL dependencies #12411
Remove OpenSSL dependencies #12411
Conversation
LKozlowski
force-pushed
the
lkozlowski/remove-openssl-with-rdp-without-openssl
branch
2 times, most recently
from
6f8d20c to
89f6f33
Compare
github-actions
bot
requested review from
codingllama,
jakule,
ptgott,
r0mant,
xinding33 and
zmb3
LKozlowski
force-pushed
the
lkozlowski/remove-openssl-with-rdp-without-openssl
branch
from
3753d9f to
dea3560
Compare
There was a problem hiding this comment.
Seems reasonable to me, assuming the functionality was manually tested. Thanks for doing this work!
This PR completely removes OpenSSL dependency from Teleport's binaries.
Sadly, this isn't entirely true. libfido2 pulls libcrypto into our tsh builds, but I suppose it is true now for RDP. Please edit the description to mention that this is related to RPD, it may give the wrong impression to people otherwise.
LKozlowski
force-pushed
the
lkozlowski/remove-openssl-with-rdp-without-openssl
branch
from
06c0978 to
ff6a870
Compare
LKozlowski
force-pushed
the
lkozlowski/remove-openssl-with-rdp-without-openssl
branch
2 times, most recently
from
1a69ce5 to
6f29c97
Compare
zmb3
added
the
release-notes
|
@codingllama I've reverted that indentation and slightly changed one item in the list to remove all the docs lint warnings. Also, now it is exactly as other lists and texts in this file, so I'm assuming everything will render correctly. |
| @@ -314,6 +314,62 @@ Computer Configuration > Policies > Administrative Templates > Windows Component | |||
|  | |||
| </Figure> | |||
|
|
|||
| ### Configure certificate for RDP connections | |||
There was a problem hiding this comment.
It looks like this is the final subsection of "Step 3/6: Configure a GPO to allow Teleport connections". I'm not sure that's the intention, though, since the second paragraph begins with "In this step we'll...".
If this is the beginning of a new step, we'll need to promote this section heading to an H2 (using ## instead of ###), add "Step n/d:" to the title, and renumber the rest of the H2 section headings (e.g., this would be "Step 4/7").
There was a problem hiding this comment.
I was thinking about whether I should add it as a separate step or add it to the existing one as it's related to it. After I gave it some thought and re-read it again, I agree that it make more sense to make it a separate optional step.
LKozlowski
force-pushed
the
lkozlowski/remove-openssl-with-rdp-without-openssl
branch
from
874b2e6 to
ea39c88
Compare
RustCrypto is preferred, as it's a pure-Rust implementation, which simplifies cross compilation for us and prevents us from needing to pull in all of OpenSSL. We originally thought that OpenSSL would be required here as RustCrypto didn't appear to support RSA decryption without padding, but that turned out to be false.
LKozlowski
force-pushed
the
lkozlowski/remove-openssl-with-rdp-without-openssl
branch
from
7637b33 to
55ed0c2
Compare
* Bump rdp-rs (#11768) I had made some changes to rdp-rs to expose new flags for tweaking some performance characteristics, but never got around to pulling in the update here. Fix this now so as not to block upcoming work the team is doing on rdp-rs. * Use RustCrypto/RSA instead of OpenSSL RustCrypto is preferred, as it's a pure-Rust implementation, which simplifies cross compilation for us and prevents us from needing to pull in all of OpenSSL. We originally thought that OpenSSL would be required here as RustCrypto didn't appear to support RSA decryption without padding, but that turned out to be false. * Remove OpenSSL dependency from the rust RDP client Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
RustCrypto is preferred, as it's a pure-Rust implementation, which simplifies cross compilation for us and prevents us from needing to pull in all of OpenSSL. We originally thought that OpenSSL would be required here as RustCrypto didn't appear to support RSA decryption without padding, but that turned out to be false.
RustCrypto is preferred, as it's a pure-Rust implementation, which simplifies cross compilation for us and prevents us from needing to pull in all of OpenSSL. We originally thought that OpenSSL would be required here as RustCrypto didn't appear to support RSA decryption without padding, but that turned out to be false.
This PR completely removes OpenSSL dependency from teleport binary.
It combines two things:
Also, I've added docs sections for setting up certificate templates for RDP connection