Update Foxy OpenSSL to 1.1.1g on Windows. #454
Conversation
This OpenSSL binary distribution also has a different default install location: C:\Program Files\OpenSSL-Win64
|
CI building up to sros2 and test_security and testing sros2 and test_security. Windows |
|
This PR currently exchanges security failures using rmw_connext_cpp in all Windows configurations for working builds with the new Cryptography wheel in Windows Debug. |
The environment variable introduced in ros2/system_tests#409 is RTI_OPENSSL_LIBS not RTI_OPENSSL_LIB Signed-off-by: Steven! Ragnarök <steven@nuclearsandwich.com>
|
When looking at it, the Windows dockerfiles always had support for pointing connext to its own OpenSSL installation but there was a disagreement between the environment variable name in the initial and final iterations of the PR. |
|
Well the latest CI run didn't change the outcome. For some reason the RTI_OPENSSL_LIBS directory is being put on the PATH rather than the RTI_OPENSSL_BIN directory (which on Windows includes both executables and ddls). I'm out of gas for tonight so we'll lose another debug nightly and I'll be back at it in the morning. |
| @@ -78,11 +78,11 @@ RUN 7z.exe x C:\TEMP\opencv.zip -aoa -oC:\ | |||
| RUN 7z.exe x C:\TEMP\OpenSplice.zip -aoa -oC:\opensplice | |||
|
|
|||
| # Environment setup | |||
| ENV OPENSSL_CONF C:\OpenSSL-Win64\bin\openssl.cfg | |||
| ENV OPENSSL_CONF "C:\Program Files\OpenSSL-Win64\bin\openssl.cfg" | |||
There was a problem hiding this comment.
Strange, on my native Windows machine, the OpenSSL installer defaults to C:\OpenSSL-Win64 as the install root.
There was a problem hiding this comment.
I've seen that as well, at one point it was because I customized the install path and then a subsequent reinstall (part of a script) had a different default location. Do you have an earlier version of OpenSSL installed? It might be looking at the previous installation path?
There was a problem hiding this comment.
I re-located the old installation of OpenSSL; but it's possible there was still some user-data floating around.
nuclearsandwich
assigned nuclearsandwich and jacobperron and unassigned nuclearsandwich
|
I'm stuck on this as well. Locally, the Connext security tests pass for me when setting Based on the errors, it sounds like Connext isn't installed properly: But I ran @mikaelarguedas any ideas? |
It seems that the Connext tests pass locally for me even if |
Could you still be using Openssl 1.0.2 like the current CI does so you dont need to point to RTI's OpenSSL? This s a bit unfortunate that this doesnt build on the work of #421 that already has context, a bunch of tickets linked to it and acknowledges the work done on this topic over the last 2 months... several of the questions in this PR are answered on the other PR...
I believe the "always had support" was mostly a copy-n-paste from the Linux dockerfiles but have never been tested, variable names were not matching and variable contents were never taken into account ros2/system_tests#409. So this is not known the have ever worked in the past that I know of.
I don't think that's true. A good way to confirm it is to see that the first element of the
alternative idea:
|
I have OpenSSL 1.1.1g installed. And then extracted RTI's OpenSSL into a separate directory. 🤷♂️
AFAIK, VS2017 and VS2019 are binary compatible.
Maybe not, but I guess we should first figure out why tests are not passing in a release build.
I think you're suggesting making this change in test_security, right? We can give it a try. |
That's encouraging ! now just need to play spot the difference with CI
What I meant is to make this dockerfile install both openssl 1.1.1 and openssl 1.0.2 from the website and set the RTI_OPENSSL_* variables to point to the OpenSSL 1.0.2 installation folder (without needing a change in test_security) and see if in that case the Connext security plugins can be loaded successfully |
|
I've just opened this PR that disables the Connext security tests on Windows: ros2/system_tests#433 I think it would be good to land that and this PR so that we unblock Windows debug builds and get OpenSSL 1.1.1 for the security tests with other RMWs. |
Sure, that's still a step in the right direction 👍 I gave a shot to the alternative of installing both openssl 1.0.2 and 1.1.1 from the website (using this branch https://github.com/ros2/ci/compare/recent-openssl) and ran jobs with FastRTPS and Connext in release and debug and they came back green: The Fast-RTPS build step is for sure using openssl 1.1.1g, I'm not certain for the tests but it seems likely |
This is an alternative to #421 which installs (currently the same) OpenSSL binary via chocolatey. Since the OpenSSL version needs to be compiled in to our debug wheel of cryptography for sros2 I would prefer to opt into updates rather than get them by surprise via chocolatey.
This OpenSSL binary distribution also has a different default install
location: C:\Program Files\OpenSSL-Win64 I didn't see a cli option in the installer to change the target location but one may exist.