Skip to content

Commit

Permalink
feat: support openssl3 (#357)
Browse files Browse the repository at this point in the history
  • Loading branch information
AlinsRan authored Dec 27, 2023
1 parent 4ff4171 commit 055f1e6
Show file tree
Hide file tree
Showing 9 changed files with 480 additions and 24 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
docker exec ubuntu20.04Instance bash -c "wget -O - https://openresty.org/package/pubkey.gpg | apt-key add -"
docker exec ubuntu20.04Instance bash -c 'echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/openresty.list'
docker exec ubuntu20.04Instance bash -c "DEBIAN_FRONTEND=noninteractive apt-get update"
docker exec ubuntu20.04Instance bash -c "DEBIAN_FRONTEND=noninteractive apt-get -y install openresty-openssl111 openresty-pcre openresty-zlib"
docker exec ubuntu20.04Instance bash -c "DEBIAN_FRONTEND=noninteractive apt-get -y install openresty-pcre openresty-zlib"
- name: install deb in container
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/package-apisix-runtime-rpm-el7.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
- name: install dependencies in container
run: |
docker exec centos7Instance bash -c "yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo"
docker exec centos7Instance bash -c "yum -y install openresty-openssl111 openresty-pcre openresty-zlib"
docker exec centos7Instance bash -c "yum -y install openresty-pcre openresty-zlib"
- name: install rpm in container
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/package-apisix-runtime-rpm-el8.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
docker exec centos8Instance bash -c "dnf install -y yum-utils"
docker exec centos8Instance bash -c "yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo"
docker exec centos8Instance bash -c "yum -y install openresty-openssl111 openresty-pcre openresty-zlib"
docker exec centos8Instance bash -c "yum -y install openresty-pcre openresty-zlib"
- name: install rpm in container
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/package-apisix-runtime-rpm-ubi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
run: |
docker exec ubiInstance bash -c "dnf install -y yum-utils"
docker exec ubiInstance bash -c "yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo"
docker exec ubiInstance bash -c "yum -y install openresty-openssl111 openresty-pcre openresty-zlib"
docker exec ubiInstance bash -c "yum -y install openresty-pcre openresty-zlib"
- name: install rpm in container
run: |
Expand Down
4 changes: 2 additions & 2 deletions build-apisix-runtime-debug-centos7.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ set -x

yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
yum -y install gcc gcc-c++ patch wget git make sudo
yum -y install openresty-openssl111-devel openresty-pcre-devel openresty-zlib-devel
yum -y install openresty-pcre-devel openresty-zlib-devel

export openssl_prefix=/usr/local/openresty/openssl111
export openssl_prefix=/usr/local/openresty/openssl3
export zlib_prefix=/usr/local/openresty/zlib
export pcre_prefix=/usr/local/openresty/pcre

Expand Down
61 changes: 57 additions & 4 deletions build-apisix-runtime.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,23 @@ set -x

runtime_version=${runtime_version:-0.0.0}


debug_args=${debug_args:-}
ENABLE_FIPS=${ENABLE_FIPS:-"false"}
OPENSSL_CONF_PATH=${OPENSSL_CONF_PATH:-$PWD/conf/openssl3/openssl.cnf}


OR_PREFIX=${OR_PREFIX:="/usr/local/openresty"}
OPENSSL_PREFIX=${OPENSSL_PREFIX:=$OR_PREFIX/openssl3}
zlib_prefix=${OR_PREFIX}/zlib
pcre_prefix=${OR_PREFIX}/pcre

cc_opt=${cc_opt:-"-DNGX_LUA_ABORT_AT_PANIC -I$zlib_prefix/include -I$pcre_prefix/include -I$OPENSSL_PREFIX/include"}
ld_opt=${ld_opt:-"-L$zlib_prefix/lib -L$pcre_prefix/lib -L$OPENSSL_PREFIX/lib -Wl,-rpath,$zlib_prefix/lib:$pcre_prefix/lib:$OPENSSL_PREFIX/lib"}


# dependencies for building openresty
OPENSSL_VERSION=${OPENSSL_VERSION:-"3.2.0"}
OPENRESTY_VERSION="1.21.4.2"
ngx_multi_upstream_module_ver="1.1.1"
mod_dubbo_ver="1.0.2"
Expand All @@ -12,8 +29,41 @@ wasm_nginx_module_ver="0.6.5"
lua_var_nginx_module_ver="v0.5.3"
grpc_client_nginx_module_ver="v0.4.4"
lua_resty_events_ver="0.2.0"
OR_PREFIX=${OR_PREFIX:="/usr/local/openresty"}
debug_args=${debug_args:-}


install_openssl_3(){
local fips=""
if [ "$ENABLE_FIPS" == "true" ]; then
fips="enable-fips"
fi
# required for openssl 3.x config
cpanm IPC/Cmd.pm
wget --no-check-certificate https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
tar xvf openssl-${OPENSSL_VERSION}.tar.gz
cd openssl-${OPENSSL_VERSION}/
export LDFLAGS="-Wl,-rpath,$zlib_prefix/lib:$OPENSSL_PREFIX/lib"
./config $fips \
shared \
zlib \
enable-camellia enable-seed enable-rfc3779 \
enable-cms enable-md2 enable-rc5 \
enable-weak-ssl-ciphers \
--prefix=$OPENSSL_PREFIX \
--libdir=lib \
--with-zlib-lib=$zlib_prefix/lib \
--with-zlib-include=$zlib_prefix/include
make -j $(nproc) LD_LIBRARY_PATH= CC="gcc"
make install
if [ -f "$OPENSSL_CONF_PATH" ]; then
cp "$OPENSSL_CONF_PATH" "$OPENSSL_PREFIX"/ssl/openssl.cnf
fi
if [ "$ENABLE_FIPS" == "true" ]; then
$OPENSSL_PREFIX/bin/openssl fipsinstall -out $OPENSSL_PREFIX/ssl/fipsmodule.cnf -module $OPENSSL_PREFIX/lib/ossl-modules/fips.so
sed -i 's@# .include fipsmodule.cnf@.include '"$OPENSSL_PREFIX"'/ssl/fipsmodule.cnf@g; s/# \(fips = fips_sect\)/\1\nbase = base_sect\n\n[base_sect]\nactivate=1\n/g' $OPENSSL_PREFIX/ssl/openssl.cnf
fi
cd ..
}


if ([ $# -gt 0 ] && [ "$1" == "latest" ]) || [ "$version" == "latest" ]; then
debug_args="--with-debug"
Expand All @@ -24,6 +74,9 @@ repo=$(basename "$prev_workdir")
workdir=$(mktemp -d)
cd "$workdir" || exit 1


install_openssl_3

wget --no-check-certificate https://openresty.org/download/openresty-${OPENRESTY_VERSION}.tar.gz
tar -zxvpf openresty-${OPENRESTY_VERSION}.tar.gz > /dev/null

Expand Down Expand Up @@ -95,8 +148,7 @@ cd wasm-nginx-module-${wasm_nginx_module_ver} || exit 1
./install-wasmtime.sh
cd ..

cc_opt=${cc_opt:-}
ld_opt=${ld_opt:-}

luajit_xcflags=${luajit_xcflags:="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT"}
no_pool_patch=${no_pool_patch:-}
# TODO: remove old NGX_HTTP_GRPC_CLI_ENGINE_PATH once we have released a new
Expand Down Expand Up @@ -126,6 +178,7 @@ else
mv lua-resty-limit-traffic-$limit_ver bundle/lua-resty-limit-traffic-$or_limit_ver
fi


./configure --prefix="$OR_PREFIX" \
--with-cc-opt="-DAPISIX_RUNTIME_VER=$runtime_version $grpc_engine_path $cc_opt" \
--with-ld-opt="-Wl,-rpath,$OR_PREFIX/wasmtime-c-api/lib $ld_opt" \
Expand Down
Loading

0 comments on commit 055f1e6

Please sign in to comment.