From 2bba40a0baad268335bf725a327fcf20e9f6ec9b Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Thu, 2 Nov 2023 10:01:01 -0700 Subject: [PATCH] chore(security)!: Remove legacy OpenSSL provider flags (#19015) * chore(security)!: Remove legacy OpenSSL provider flags Signed-off-by: Jesse Szwedko * Remove trailing newline Signed-off-by: Jesse Szwedko --------- Signed-off-by: Jesse Szwedko --- docs/DEPRECATIONS.md | 1 - src/app.rs | 36 ------------------- src/cli.rs | 12 ------- .../2023-11-07-0-34-0-upgrade-guide.md | 10 ++++++ website/cue/reference/cli.cue | 8 ----- 5 files changed, 10 insertions(+), 57 deletions(-) diff --git a/docs/DEPRECATIONS.md b/docs/DEPRECATIONS.md index 3d8491ecbb811..d0495855fdb1f 100644 --- a/docs/DEPRECATIONS.md +++ b/docs/DEPRECATIONS.md @@ -7,4 +7,3 @@ See [DEPRECATION.md](docs/DEPRECATION.md#process) for the process for updating t ## To be removed * datadog_v1_metrics v0.35.0 Support for `v1` series endpoint in the `datadog_metrics` sink should be removed. -* legacy_openssl_provider v0.34.0 OpenSSL legacy provider flag should be removed diff --git a/src/app.rs b/src/app.rs index 259d846ea94eb..ffe7a01b53e2a 100644 --- a/src/app.rs +++ b/src/app.rs @@ -6,7 +6,6 @@ use futures::StreamExt; #[cfg(feature = "enterprise")] use futures_util::future::BoxFuture; use once_cell::race::OnceNonZeroUsize; -use openssl::provider::Provider; use tokio::runtime::{self, Runtime}; use tokio_stream::wrappers::UnboundedReceiverStream; @@ -58,7 +57,6 @@ pub struct Application { pub require_healthy: Option, pub config: ApplicationConfig, pub signals: SignalPair, - pub openssl_providers: Option>, } impl ApplicationConfig { @@ -196,12 +194,6 @@ impl Application { debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL."); } - let openssl_providers = opts - .root - .openssl_legacy_provider - .then(load_openssl_legacy_providers) - .transpose()?; - let runtime = build_runtime(opts.root.threads, "vector-worker")?; // Signal handler for OS and provider messages. @@ -222,7 +214,6 @@ impl Application { require_healthy: opts.root.require_healthy, config, signals, - openssl_providers, }, )) } @@ -239,7 +230,6 @@ impl Application { require_healthy, config, signals, - openssl_providers, } = self; let topology_controller = SharedTopologyController::new(TopologyController { @@ -258,7 +248,6 @@ impl Application { graceful_crash_receiver: config.graceful_crash_receiver, signals, topology_controller, - openssl_providers, }) } } @@ -269,7 +258,6 @@ pub struct StartedApplication { pub graceful_crash_receiver: ShutdownErrorReceiver, pub signals: SignalPair, pub topology_controller: SharedTopologyController, - pub openssl_providers: Option>, } impl StartedApplication { @@ -283,7 +271,6 @@ impl StartedApplication { graceful_crash_receiver, signals, topology_controller, - openssl_providers, internal_topologies, } = self; @@ -316,7 +303,6 @@ impl StartedApplication { signal, signal_rx, topology_controller, - openssl_providers, internal_topologies, } } @@ -372,7 +358,6 @@ pub struct FinishedApplication { pub signal: SignalTo, pub signal_rx: SignalRx, pub topology_controller: SharedTopologyController, - pub openssl_providers: Option>, pub internal_topologies: Vec, } @@ -382,7 +367,6 @@ impl FinishedApplication { signal, signal_rx, topology_controller, - openssl_providers, internal_topologies, } = self; @@ -403,7 +387,6 @@ impl FinishedApplication { topology.stop().await; } - drop(openssl_providers); status } @@ -585,22 +568,3 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64) ); info!(message = "Log level is enabled.", level = ?level); } - -/// Load the legacy OpenSSL provider. -/// -/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it -/// will be unloaded when it is dropped. -pub fn load_openssl_legacy_providers() -> Result, ExitCode> { - warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use. Set `--openssl-legacy-provider=false` or `VECTOR_OPENSSL_LEGACY_PROVIDER=false` to disable. See https://vector.dev/highlights/2023-08-15-0-32-0-upgrade-guide/#legacy-openssl for details."); - ["legacy", "default"].into_iter().map(|provider_name| { - Provider::try_load(None, provider_name, true) - .map(|provider| { - info!(message = "Loaded openssl provider.", provider = provider_name); - provider - }) - .map_err(|error| { - error!(message = "Failed to load openssl provider.", provider = provider_name, %error); - exitcode::UNAVAILABLE - }) - }).collect() -} diff --git a/src/cli.rs b/src/cli.rs index 54ec9cbb747c4..a853303a28d85 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -197,18 +197,6 @@ pub struct RootOpts { )] pub allocation_tracing_reporting_interval_ms: u64, - /// Load the OpenSSL legacy provider. - #[arg( - long, - env = "VECTOR_OPENSSL_LEGACY_PROVIDER", - default_value = "false", - default_missing_value = "false", - num_args = 0..=1, - require_equals = true, - action = ArgAction::Set - )] - pub openssl_legacy_provider: bool, - /// Disable probing and configuration of root certificate locations on the system for OpenSSL. /// /// The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables diff --git a/website/content/en/highlights/2023-11-07-0-34-0-upgrade-guide.md b/website/content/en/highlights/2023-11-07-0-34-0-upgrade-guide.md index 3cdad1f92388b..0b1fe0e5011d6 100644 --- a/website/content/en/highlights/2023-11-07-0-34-0-upgrade-guide.md +++ b/website/content/en/highlights/2023-11-07-0-34-0-upgrade-guide.md @@ -16,6 +16,7 @@ Vector's 0.34.0 release includes **breaking changes**: 1. [Removal of Deprecated Metrics Replaced by `component_errors_total`](#deprecated-component-errors-total-metrics) 1. [Removal of `peer_addr` Metric Tag](#remove-peer-addr) 1. [Blackhole sink no longer reports by default](#blackhole-sink-reporting) +1. [Remove direct OpenSSL legacy provider support](#openssl-legacy-provider) We cover them below to help you upgrade quickly: @@ -91,3 +92,12 @@ The `peer_addr` tag has been removed from the `component_received_bytes_total` i The `blackhole` sink no longer reports events processed every second by default. Instead this behavior can be opted into by setting `print_interval_secs` to `1` (or any other integer). This change was made due to users being surprised that this sink generates output by default. + +#### Remove direct OpenSSL legacy provider support {#openssl-legacy-provider} + +In this release, we drop support for enabling the OpenSSL legacy provider via +`--openssl-legacy-provider` (and its environment variable: `VECTOR_OPENSSL_LEGACY_PROVIDER`). This +flag was deprecated in v0.33.0. + +The legacy OpenSSL provider (and other providers than the default provider) can still be enabled if +desired through [options in OpenSSL's configuration](/docs/reference/configuration/tls) diff --git a/website/cue/reference/cli.cue b/website/cue/reference/cli.cue index df5f1d8c8b98a..14cc75db42cd9 100644 --- a/website/cue/reference/cli.cue +++ b/website/cue/reference/cli.cue @@ -113,10 +113,6 @@ cli: { description: env_vars.VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT.description env_var: "VECTOR_NO_GRACEFUL_SHUTDOWN_LIMIT" } - "openssl-legacy-provider": { - description: env_vars.VECTOR_OPENSSL_LEGACY_PROVIDER.description - env_var: "VECTOR_OPENSSL_LEGACY_PROVIDER" - } "openssl-no-probe": { description: env_vars.VECTOR_OPENSSL_NO_PROBE.description env_var: "VECTOR_OPENSSL_NO_PROBE" @@ -632,10 +628,6 @@ cli: { description: "Never time out while waiting for graceful shutdown after SIGINT or SIGTERM received. This is useful when you would like for Vector to attempt to send data until terminated by a SIGKILL. Overrides/cannot be set with `--graceful-shutdown-limit-secs`." type: bool: default: false } - VECTOR_OPENSSL_LEGACY_PROVIDER: { - description: "Load the OpenSSL legacy provider." - type: bool: default: false - } VECTOR_OPENSSL_NO_PROBE: { description: """ Disable probing and configuration of root certificate locations on the system for OpenSSL.