envoy-openssl build successfully with envoy:cf2df8cbe, commit time is Tue Jul 28 02:32:57 2020.

But build failed with the latest Envoy, when will support the latest Envoy?

The extension configuration that we maintain at https://github.com/envoyproxy/envoy-openssl/blob/master/envoy_build_config/extensions_build_config.bzl has diverged from https://github.com/envoyproxy/envoy/blob/master/source/extensions/extensions_build_config.bzl. We need to sync our config with main Envoy.

Hi there,

I am trying to build envoy 1.29.1 on s390x arch using envoy-openssl repo but bazel build --config=clang --verbose_failures -s @envoy//:envoy fails due to following error:

...
Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
[1mexternal/com_github_grpc_grpc/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc:60:33: [0m[0;1;31merror: [0m[1muse of undeclared identifier 'X509_CRL_get_issuer'; did you mean 'ossl_X509_CRL_get_issuer'?[0m
  char* buf = X509_NAME_oneline(X509_CRL_get_issuer(crl), nullptr, 0);
[0;1;32m                                ^~~~~~~~~~~~~~~~~~~
[0m[0;32m                                ossl_X509_CRL_get_issuer
[0m[1mbazel-out/s390x-fastbuild/bin/external/bssl-compat/bssl-compat/include/ossl/openssl/x509.h:935:17: [0m[0;1;30mnote: [0m'ossl_X509_CRL_get_issuer' declared here[0m
ossl_X509_NAME *ossl_X509_CRL_get_issuer(const ossl_X509_CRL *crl);
[0;1;32m                ^
[0m[1mexternal/com_github_grpc_grpc/src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc:60:15: [0m[0;1;31merror: [0m[1muse of undeclared identifier 'X509_NAME_oneline'; did you mean 'ossl_X509_NAME_oneline'?[0m
  char* buf = X509_NAME_oneline(X509_CRL_get_issuer(crl), nullptr, 0);
[0;1;32m              ^~~~~~~~~~~~~~~~~
[0m[0;32m              ossl_X509_NAME_oneline
[0m[1mbazel-out/s390x-fastbuild/bin/external/bssl-compat/bssl-compat/include/ossl/openssl/x509.h:799:7: [0m[0;1;30mnote: [0m'ossl_X509_NAME_oneline' declared here[0m
char *ossl_X509_NAME_oneline(const ossl_X509_NAME *a, char *buf, int size);
[0;1;32m      ^
[0m2 errors generated.
Target @envoy//source/exe:envoy-static failed to build
...

I suspect problem is that bssl-compat build does not contain these declaration resulting in this error. Even after manually changing grpc_tls_crl_provider.cc to use ossl_X509_CRL_get_issuer etc. build fails down the path with other SSL related errors (missing SSL_ERROR_WANT_CERTIFICATE_VERIFY identifier).

Please let me know if there is something obvious I am missing.

Thanks.

I'd like to use envoy-openssl. But I couldn't find envoy-openssl image in https://hub.docker.com/u/envoyproxy
Do you have any plan to provide envoy-openssl as a docker container image?

The bazel.release CI target was disabled due to disk space issues. We should enable it once again.

/cc @mythi

envoy commit: "tls_inspector: enable TLSv1.3. (#118)" needs backporting into this repo.

• Create Submodule for envoy
• Top level folders for collections
• update readme
• add initial bssl-compat code

As you probably have seen by the other opened issue [1], I am interested in getting the Envoy up and running with the OpenSSL extension. With OpenSSL 1.1.1 being EOL now, Maistra is not a feasible approach for us anymore, so we are looking into early-adopting envoy with the OpenSSL extension.

Me and my colleague monitored the changes you introduced over the last couple months, getting closer to a fully working server. We have seen (and tested) that there are currently a few things open, such as the missing mapping of some BoringSSL errors to OpenSSL ones. We are wondering, if we can help expedite the stabilisation process, to get a bit faster to a fully working release; may it be code contributions or testing, we would like to help a bit.

[1] #66

Is there a way I can build a released version of Envoy (v1.13.1) with OpenSSL? Current build yields the below version and I can't run this in production. I'll greatly appreciate any help on this.

envoy  version: 1a29e0d7d9b86124509a0f49c2d6df93ece25450/1.14.0-dev/Modified/DEBUG/OpenSSL

Thanks
Kunal

make[2]: Entering directory '/build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build.build_tmpdir/tools/makeconv'
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/ucnvstat.c
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/makeconv.cpp
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/genmbcs.cpp
   (deps)  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/gencnvex.c
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/gencnvex.c
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/genmbcs.cpp
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/makeconv.cpp
   gcc   ...  /build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/external/com_github_unicode_org_icu/icu4c/source/tools/makeconv/ucnvstat.c
/usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer -std=c++0x -fno-canonical-system-headers -Wno-builtin-macro-redefined -D__DATE__=redacted -D__TIMESTAMP__=redacted -D__TIME__=redacted -DABSL_MIN_LOG_LEVEL=4 -fPIC -Wno-deprecated-declarations -std=c++17 -fPIC -DU_CHARSET_IS_UTF8=1 -DU_USING_ICU_NAMESPACE=0 -DUCONFIG_ONLY_HTML_CONVERSION=1 -DUCONFIG_NO_LEGACY_CONVERSION=1 -DUCONFIG_NO_BREAK_ITERATION=1 -DUCONFIG_NO_COLLATION=1 -DUCONFIG_NO_FORMATTING=1 -DUCONFIG_NO_TRANSLITERATION=1 -DUCONFIG_NO_REGULAR_EXPRESSIONS=1 -W -Wall -pedantic -Wpointer-arith -Wwrite-strings -Wno-long-long   -fuse-ld=gold -Wl,-no-as-needed -Wl,-z,relro,-z,now -B/usr/bin -pass-exit-codes -lm -l:libstdc++.a -Wl,--gc-sections   -o ../../bin/makeconv gencnvex.o genmbcs.o makeconv.o ucnvstat.o -L../../lib -licutu -L../../lib -licui18n -L../../lib -licuuc -L../../stubdata -licudata -lpthread -lm
makeconv.o:makeconv.cpp:DW.ref.__gxx_personality_v0: error: undefined reference to '__gxx_personality_v0'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::mutex::lock(): error: undefined reference to 'std::__throw_system_error(int)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function umtx_cleanup: error: undefined reference to 'std::condition_variable::~condition_variable()'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function umtx_init::{lambda()#2}::operator()() const: error: undefined reference to 'std::condition_variable::condition_variable()'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function icu_72::umtx_initImplPreInit(icu_72::UInitOnce&): error: undefined reference to 'std::condition_variable::wait(std::unique_lock<std::mutex>&)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function icu_72::umtx_initImplPostInit(icu_72::UInitOnce&): error: undefined reference to 'std::condition_variable::notify_all()'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::call_once<void (&)()>(std::once_flag&, void (&)())::{lambda()#2}::operator()() const: error: undefined reference to 'std::__once_callable'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to 'std::__once_callable'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to 'std::__once_call'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to '__once_proxy'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function void std::call_once<void (&)()>(std::once_flag&, void (&)()): error: undefined reference to 'std::__throw_system_error(int)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::unique_lock<std::mutex>::lock(): error: undefined reference to 'std::__throw_system_error(int)'
../../lib/libicuuc.a(umutex.ao):umutex.cpp:function std::unique_lock<std::mutex>::lock(): error: undefined reference to 'std::__throw_system_error(int)'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:81: ../../bin/makeconv] Error 1
make[2]: Leaving directory '/build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build.build_tmpdir/tools/makeconv'
make[1]: *** [Makefile:47: all-recursive] Error 2
make[1]: Leaving directory '/build/.cache/bazel/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/2/execroot/envoy/bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build.build_tmpdir/tools'
make: *** [Makefile:153: all-recursive] Error 2
_____ END BUILD LOGS _____
rules_foreign_cc: Build wrapper script location: bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build_foreign_cc/wrapper_build_script.sh
rules_foreign_cc: Build script location: bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build_foreign_cc/build_script.sh
rules_foreign_cc: Build log location: bazel-out/k8-fastbuild/bin/bazel/foreign_cc/unicode_icu_build_foreign_cc/Configure.log

INFO: Elapsed time: 137.005s, Critical Path: 120.50s
INFO: 4 processes: 2 internal, 2 processwrapper-sandbox.
FAILED: Build did NOT complete successfully
Traceback (most recent call last):
  File "./tools/gen_compilation_database.py", line 139, in <module>
    fix_compilation_database(args, generate_compilation_database(args))
  File "./tools/gen_compilation_database.py", line 25, in generate_compilation_database
    subprocess.check_call([args.bazel, *bazel_startup_options, "build"] + bazel_options + [
  File "/usr/lib/python3.8/subprocess.py", line 364, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['bazel', 'build', '--config=compdb', '--remote_download_outputs=all', '--aspects=@bazel_compdb//:aspects.bzl%compilation_database_aspect', '--output_groups=compdb_files,header_files', '//source/...', '//test/...', '//contrib/...']' returned non-zero exitstatus 1.

Envoy Commit ID: ca5d45d
OS: linux(entered build container by ./ci/run_envoy_docker.sh /bin/bash)
Command: ./tools/gen_compilation_database.py

How do we select between this envoy-openssl project and maistra/envoy ?

Seems this https://github.com/maistra/envoy was maintained by Redhat but no way to submit issues or questions.

And also seems no new release in this year 2023 .

so what's the difference between these two projects ? And any pros and cons can be shared?

use run-build-container.sh, bazel build @bssl-compat//:bssl-compat has finised, but when I did "bazel build @envoy//:envoy" , has some error about code , below is failed log:
ERROR: /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/source/extensions/transport_sockets/tls/BUILD:142:17: Compiling source/extensions/transport_sockets/tls/context_impl.cc failed: (Exit 1): process-wrapper failed: error executing command
(cd /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/4064/execroot/envoy_openssl &&
exec env -
BAZEL_COMPILER=clang
BAZEL_LINKLIBS=-l%:libstdc++.a
BAZEL_LINKOPTS=-lm
CC=clang
CXX=clang++
LLVM_CONFIG=/opt/llvm/bin/llvm-config
PATH=/opt/llvm/bin:/opt/llvm/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/proc/self/cwd
TMPDIR=/tmp
/build/.cache/bazel/_bazel_root/install/e63ada1a9406bff70c6efc9d97c3aeba/process-wrapper '--timeout=0' '--kill_delay=15' '--stats=/build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/4064/stats.out' /opt/llvm/bin/clang-14 -U_FORTIFY_SOURCE -fstack-protector -Wall -Wthread-safety -Wself-assign -Wunused-but-set-parameter -Wno-free-nonheap-object -fcolor-diagnostics -fno-omit-frame-pointer '-std=c++0x' -MD -MF bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/context_lib/context_impl.pic.d '-frandom-seed=bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/context_lib/context_impl.pic.o' -fPIC -DFMT_HEADER_ONLY -DSPDLOG_FMT_EXTERNAL -DENVOY_ADMIN_FUNCTIONALITY -DENVOY_ENABLE_HTTP_DATAGRAMS -DENVOY_MOBILE_ENABLE_LISTENER -DENVOY_MOBILE_STATS_REPORTING -DENVOY_MOBILE_REQUEST_COMPRESSION -DENVOY_GOOGLE_GRPC -DNGHTTP2_STATICLIB '-DBAZEL_CURRENT_REPOSITORY="envoy"' -iquote external/envoy -iquote bazel-out/k8-fastbuild/bin/external/envoy -iquote external/com_google_absl -iquote bazel-out/k8-fastbuild/bin/external/com_google_absl -iquote external/com_github_fmtlib_fmt -iquote bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt -iquote external/envoy_api -iquote bazel-out/k8-fastbuild/bin/external/envoy_api -iquote external/com_google_googleapis -iquote bazel-out/k8-fastbuild/bin/external/com_google_googleapis -iquote external/com_google_protobuf -iquote bazel-out/k8-fastbuild/bin/external/com_google_protobuf -iquote external/com_envoyproxy_protoc_gen_validate -iquote bazel-out/k8-fastbuild/bin/external/com_envoyproxy_protoc_gen_validate -iquote external/com_googlesource_code_re2 -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_code_re2 -iquote external/com_github_cncf_udpa -iquote bazel-out/k8-fastbuild/bin/external/com_github_cncf_udpa -iquote external/opencensus_proto -iquote bazel-out/k8-fastbuild/bin/external/opencensus_proto -iquote external/com_github_gabime_spdlog -iquote bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog -iquote external/com_github_cyan4973_xxhash -iquote bazel-out/k8-fastbuild/bin/external/com_github_cyan4973_xxhash -iquote external/com_github_jbeder_yaml_cpp -iquote bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp -iquote external/com_github_google_quiche -iquote bazel-out/k8-fastbuild/bin/external/com_github_google_quiche -iquote external/com_googlesource_googleurl -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_googleurl -iquote external/com_github_circonus_labs_libcircllhist -iquote bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/any_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/descriptor_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/duration_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/empty_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/struct_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/timestamp_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/wrappers_proto -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/logger_impl_lib_standard -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/thread_impl_lib_posix -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/api/_virtual_includes/os_sys_calls_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_export_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_logging_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_command_line_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_flag_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_reference_counted_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_testvalue_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_time_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_prefetch_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quic_base_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_mem_slice_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_platform_iovec_impl_lib -isystem external/com_github_fmtlib_fmt/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt/include -isystem external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/zlib/include -isystem external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include -isystem external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/event/include -isystem external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/nghttp2/include -isystem external/com_github_circonus_labs_libcircllhist/src -isystem bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist/src '-DABSL_MIN_LOG_LEVEL=4' -fPIC -Wno-deprecated-declarations '-std=c++17' -Wall -Wextra -Werror -Wnon-virtual-dtor -Woverloaded-virtual -Wold-style-cast -Wformat -Wformat-security -Wvla -Wno-deprecated-declarations -Wreturn-type -fno-limit-debug-info -Wgnu-conditional-omitted-operand -Wc++2a-extensions -Wrange-loop-analysis -DTCMALLOC -DENVOY_HANDLE_SIGNALS -DENVOY_OBJECT_TRACE_ON_DUMP -DENVOY_HOT_RESTART -DENVOY_ADMIN_HTML -DENVOY_STATIC_EXTENSION_REGISTRATION -DENVOY_GOOGLE_GRPC -no-canonical-prefixes -Wno-builtin-macro-redefined '-D__DATE="redacted"' '-D__TIMESTAMP="redacted"' '-D__TIME="redacted"' -c external/envoy/source/extensions/transport_sockets/tls/context_impl.cc -o bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/objs/context_lib/context_impl.pic.o)
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:185:11: error: use of undeclared identifier 'SSL_CTX_set_custom_verify'; did you mean 'SSL_CTX_set_verify'?
SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
^~~~~~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_verify
bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include/openssl/ssl.h:2539:21: note: 'SSL_CTX_set_verify' declared here
OPENSSL_EXPORT void SSL_CTX_set_verify(
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:185:55: error: cannot initialize a parameter of type 'int (*)(int, X509_STORE_CTX )' (aka 'int ()(int, ossl_x509_store_ctx_st *)') with an lvalue of type 'enum ssl_verify_result_t (SSL *, uint8_t *)' (aka 'ssl_verify_result_t (ossl_ssl_st *, unsigned char *)'): type mismatch at 1st parameter ('int' vs 'SSL *' (aka 'ossl_ssl_st *'))
SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);
^~~~~~~~~~~~~~~~~~~~
bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include/openssl/ssl.h:2540:35: note: passing argument to parameter 'callback' here
SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:186:11: error: use of undeclared identifier 'SSL_CTX_set_reverify_on_resume'; did you mean 'SSL_CTX_set_verify_depth'?
SSL_CTX_set_reverify_on_resume(ctx, /reverify_on_resume_enabled)=/1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_verify_depth
bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include/openssl/ssl.h:2616:21: note: 'SSL_CTX_set_verify_depth' declared here
OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:290:9: error: use of undeclared identifier 'SSL_CTX_set_private_key_method'
SSL_CTX_set_private_key_method(ctx.ssl_ctx.get(), private_key_method.get());
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:473:14: error: use of undeclared identifier 'ssl_verify_retry'
return ssl_verify_retry;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:480:18: error: use of undeclared identifier 'ssl_verify_ok'
? ssl_verify_ok
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:481:18: error: use of undeclared identifier 'ssl_verify_invalid'
: ssl_verify_invalid;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:493:12: error: use of undeclared identifier 'ssl_verify_ok'
return ssl_verify_ok;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:495:12: error: use of undeclared identifier 'ssl_verify_retry'
return ssl_verify_retry;
^
external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:500:12: error: use of undeclared identifier 'ssl_verify_invalid'
return ssl_verify_invalid;
^
10 errors generated.
Target @envoy//source/exe:envoy-static failed to build
INFO: Elapsed time: 2596.516s, Critical Path: 78.47s
INFO: 7968 processes: 3890 internal, 1 local, 4076 processwrapper-sandbox, 1 worker.
FAILED: Build did NOT complete successfully
root@localhost:/source# bazel clean --expunge
INFO: Starting clean (this may take a while). Consider using --async if the clean takes more than several minutes.
INFO: Multiplexer process for Javac has closed its output stream
root@localhost:/source# bazel build @bssl-compat//:bssl-compat
Starting local Bazel server and connecting to it...
INFO: Analyzed target @bssl-compat//:bssl-compat (116 packages loaded, 6989 targets configured).
INFO: Found 1 target...
Target @bssl-compat//:bssl-compat up-to-date:
bazel-bin/external/bssl-compat/bssl-compat/include
bazel-bin/external/bssl-compat/bssl-compat/lib/libbssl-compat.a
bazel-bin/external/bssl-compat/copy_bssl-compat/bssl-compat
INFO: Elapsed time: 642.919s, Critical Path: 624.38s
INFO: 4 processes: 3 internal, 1 processwrapper-sandbox.
INFO: Build completed successfully, 4 total actions
root@localhost:/source# bazel build @envoy//:envoy
INFO: Analyzed target @envoy//:envoy (797 packages loaded, 37215 targets configured).
INFO: Found 1 target...
INFO: From Compiling src/google/protobuf/compiler/cpp/helpers.cc [for tool]:
external/com_google_protobuf/src/google/protobuf/compiler/cpp/helpers.cc:197:25: warning: unused function 'VerifyInt32TypeToVerifyCustom' [-Wunused-function]
inline VerifySimpleType VerifyInt32TypeToVerifyCustom(VerifyInt32Type t) {
^
1 warning generated.
INFO: From Executing genrule @io_opentracing_cpp//:generate_version_h:
-- The C compiler identification is Clang 14.0.0
-- The CXX compiler identification is Clang 14.0.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /opt/llvm/bin/clang - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /opt/llvm/bin/clang++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- clang-tidy found: /opt/llvm/bin/clang-tidy
-- Configuring done (0.7s)
-- Generating done (0.0s)
-- Build files have been written to: /tmp/tmp.sn2kWd37J2
-- Cache values
BUILD_DYNAMIC_LOADING:BOOL=ON
BUILD_MOCKTRACER:BOOL=OFF
BUILD_SHARED_LIBS:BOOL=ON
BUILD_STATIC_LIBS:BOOL=ON
BUILD_TESTING:BOOL=OFF
CLANG_TIDY_EXE:FILEPATH=/opt/llvm/bin/clang-tidy
CMAKE_BUILD_TYPE:STRING=
CMAKE_INSTALL_PREFIX:PATH=/usr/local
ENABLE_LINTING:BOOL=ON
ERROR: /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/source/extensions/transport_sockets/tls/BUILD:43:17: Compiling source/extensions/transport_sockets/tls/ssl_handshaker.cc failed: (Exit 1): process-wrapper failed: error executing command
(cd /build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/3314/execroot/envoy_openssl &&
exec env -
BAZEL_COMPILER=clang
BAZEL_LINKLIBS=-l%:libstdc++.a
BAZEL_LINKOPTS=-lm
CC=clang
CXX=clang++
LLVM_CONFIG=/opt/llvm/bin/llvm-config
PATH=/opt/llvm/bin:/opt/llvm/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/proc/self/cwd
TMPDIR=/tmp
/build/.cache/bazel/_bazel_root/install/e63ada1a9406bff70c6efc9d97c3aeba/process-wrapper '--timeout=0' '--kill_delay=15' '--stats=/build/.cache/bazel/_bazel_root/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/3314/stats.out' /opt/llvm/bin/clang-14 -U_FORTIFY_SOURCE -fstack-protector -Wall -Wthread-safety -Wself-assign -Wunused-but-set-parameter -Wno-free-nonheap-object -fcolor-diagnostics -fno-omit-frame-pointer '-std=c++0x' -MD -MF bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/ssl_handshaker_lib/ssl_handshaker.pic.d '-frandom-seed=bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/ssl_handshaker_lib/ssl_handshaker.pic.o' -fPIC -DFMT_HEADER_ONLY -DSPDLOG_FMT_EXTERNAL -DENVOY_ADMIN_FUNCTIONALITY -DENVOY_ENABLE_HTTP_DATAGRAMS -DENVOY_MOBILE_ENABLE_LISTENER -DENVOY_MOBILE_STATS_REPORTING -DENVOY_MOBILE_REQUEST_COMPRESSION -DENVOY_GOOGLE_GRPC -DNGHTTP2_STATICLIB '-DBAZEL_CURRENT_REPOSITORY="envoy"' -iquote external/envoy -iquote bazel-out/k8-fastbuild/bin/external/envoy -iquote external/com_google_absl -iquote bazel-out/k8-fastbuild/bin/external/com_google_absl -iquote external/com_github_fmtlib_fmt -iquote bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt -iquote external/envoy_api -iquote bazel-out/k8-fastbuild/bin/external/envoy_api -iquote external/com_google_googleapis -iquote bazel-out/k8-fastbuild/bin/external/com_google_googleapis -iquote external/com_google_protobuf -iquote bazel-out/k8-fastbuild/bin/external/com_google_protobuf -iquote external/com_envoyproxy_protoc_gen_validate -iquote bazel-out/k8-fastbuild/bin/external/com_envoyproxy_protoc_gen_validate -iquote external/com_googlesource_code_re2 -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_code_re2 -iquote external/com_github_cncf_udpa -iquote bazel-out/k8-fastbuild/bin/external/com_github_cncf_udpa -iquote external/opencensus_proto -iquote bazel-out/k8-fastbuild/bin/external/opencensus_proto -iquote external/com_github_gabime_spdlog -iquote bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog -iquote external/com_github_cyan4973_xxhash -iquote bazel-out/k8-fastbuild/bin/external/com_github_cyan4973_xxhash -iquote external/com_github_jbeder_yaml_cpp -iquote bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp -iquote external/com_github_google_quiche -iquote bazel-out/k8-fastbuild/bin/external/com_github_google_quiche -iquote external/com_googlesource_googleurl -iquote bazel-out/k8-fastbuild/bin/external/com_googlesource_googleurl -iquote external/com_github_circonus_labs_libcircllhist -iquote bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/any_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/descriptor_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/duration_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/empty_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/struct_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/timestamp_proto -Ibazel-out/k8-fastbuild/bin/external/com_google_protobuf/_virtual_includes/wrappers_proto -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/logger_impl_lib_standard -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/common/_virtual_includes/thread_impl_lib_posix -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/api/_virtual_includes/os_sys_calls_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_export_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/_virtual_includes/quiche_logging_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_command_line_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_flag_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_reference_counted_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/_virtual_includes/quiche_common_platform_default_quiche_platform_impl_testvalue_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_time_utils_impl_lib -Ibazel-out/k8-fastbuild/bin/external/com_github_google_quiche/virtual_includes/quiche_common_platform_default_quiche_platform_impl_prefetch_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quic_base_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_flags_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_mem_slice_impl_lib -Ibazel-out/k8-fastbuild/bin/external/envoy/source/common/quic/platform/virtual_includes/quiche_platform_iovec_impl_lib -isystem external/com_github_fmtlib_fmt/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_fmtlib_fmt/include -isystem external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/com_google_protobuf/src -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/zlib/include -isystem external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_gabime_spdlog/include -isystem bazel-out/k8-fastbuild/bin/external/bssl-compat/bssl-compat/include -isystem external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/com_github_jbeder_yaml_cpp/include -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/event/include -isystem external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/external/http_parser -isystem bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/nghttp2/include -isystem external/com_github_circonus_labs_libcircllhist/src -isystem bazel-out/k8-fastbuild/bin/external/com_github_circonus_labs_libcircllhist/src '-DABSL_MIN_LOG_LEVEL=4' -fPIC -Wno-deprecated-declarations '-std=c++17' -Wall -Wextra -Werror -Wnon-virtual-dtor -Woverloaded-virtual -Wold-style-cast -Wformat -Wformat-security -Wvla -Wno-deprecated-declarations -Wreturn-type -fno-limit-debug-info -Wgnu-conditional-omitted-operand -Wc++2a-extensions -Wrange-loop-analysis -DTCMALLOC -DENVOY_HANDLE_SIGNALS -DENVOY_OBJECT_TRACE_ON_DUMP -DENVOY_HOT_RESTART -DENVOY_ADMIN_HTML -DENVOY_STATIC_EXTENSION_REGISTRATION -DENVOY_GOOGLE_GRPC -no-canonical-prefixes -Wno-builtin-macro-redefined '-D__DATE="redacted"' '-D__TIMESTAMP="redacted"' '-D__TIME="redacted"' -c external/envoy/source/extensions/transport_sockets/tls/ssl_handshaker.cc -o bazel-out/k8-fastbuild/bin/external/envoy/source/extensions/transport_sockets/tls/_objs/ssl_handshaker_lib/ssl_handshaker.pic.o)
external/envoy/source/extensions/transport_sockets/tls/ssl_handshaker.cc:98:10: error: use of undeclared identifier 'SSL_ERROR_WANT_PRIVATE_KEY_OPERATION'
case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
^
external/envoy/source/extensions/transport_sockets/tls/ssl_handshaker.cc:99:10: error: use of undeclared identifier 'SSL_ERROR_WANT_CERTIFICATE_VERIFY'
case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
^
2 errors generated.
Target @envoy//source/exe:envoy-static failed to build
INFO: Elapsed time: 1532.124s, Critical Path: 47.83s
INFO: 6132 processes: 2819 internal, 1 local, 3311 processwrapper-sandbox, 1 worker.
FAILED: Build did NOT complete successfully

Hi everyone, firstly apologies if this is the wrong place to open a discussion on this. I referenced previous work done by the /envoy-openssl integration project in attempting to port BoringSSL into Envoy, and I think we ran into a lot of similar issues, at least according to the roadmap published.

What I'm Trying To Do

I'm currently working on an open source implementation of a post-quantum enabled service mesh. This effort is in 3 parts:

• Nginx-oqs (finished in march of this year)
• Envoy (in progress)
• Istio (contingent on completion of envoy)

Nginx was fairly straightforward to port the OpenSSL-OQS fork, but Envoy is giving me some trouble. Envoy is incompatible with OpenSSL (there is a team working on fixing this currently), so I had to use the BoringSSL-OQS fork

How I'm Doing it

To update BoringSSL for envoy, specifically the "main-with-bazel" branch must be used:

The last updated Boringssl-OQS main-with-bazel was from 2019, so I forked it and added the siphash.h file needed by Envoy.

A few other modifications I needed to make in the Envoy fork I'm modifying:

• Disable jwt-auth
• Disable QUIC to side-step Quiche compatibility issues

Envoy successfully builds with my modifications

Here are the commands I used to generate the self-signed CA cert and the server cert as per the instructions on the OpenSSL-OQS page. I have tried them with all combinations of standard/OQS/hybrid for both the CA cert and the server cert

/usr/local/openssl/apps/openssl req -x509 -new -newkey rsa:2048 -keyout root_CA.key -out root_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config /usr/local/openssl/apps/openssl.cnf

/usr/local/openssl/apps/openssl req -new -newkey rsa3072_dilithium2 -keyout serverkey.key -out servercsr.csr -nodes -subj "/CN=oqstest server" -config /usr/local/openssl/apps/openssl.cnf

/usr/local/openssl/apps/openssl x509 -req -in servercsr.csr -out servercert.crt -CA root_CA.crt -CAkey root_CA.key -CAcreateserial -days 365  

How It's Working: Standard RSA

I can confirm my build works by passing RSA certs and keys generated using the OQS-OpenSSL fork. The HTTPS server successfully performs the TLS handshake, and I am able to reach HTTP upstream.

How It's Not Working 1: "Cannot Load Certificate Chain"

If I pass the (hybrid or OQS) server cert to Envoy, I get this error:

I have tracked it down to this portion of the Envoy source code:

Here is a diagram of the functions and their locations in the Envoy and BoringSSL source code:

How It's Not Working 2: "Unsupported Algorithm"

If I pass the (RSA) root CA cert to Envoy with the (hybrid or OQS) key, I am faced with this error instead

Questions

If anyone is curious and wants to reproduce this, the instructions are on this repo I have set up.

At this point, I feel like there may be something catastrophically important I'm missing about either BoringSSL/OpenSSL, Envoy, or just software development in general

I would love any and all feedback/advice/thoughts/criticism about why this may be happening, and what I can do to fix this

If the utests binary is executed directly, there are a couple of tests which fail:

[ FAILED ] All/BIOPairTest.TestPair/0, where GetParam() = false
[ FAILED ] All/BIOPairTest.TestPair/1, where GetParam() = true

whereas if they are run via ctest, they all pass.

The last few days I looked into the project and tried to build locally. I initally tried to build it on my local system but noticed that there were some problems that are probably much easier in a separate environment.

After trying a custom container and building envoyproxy/envoy-build-ubuntu referenced in the envoy documentation, I still have not succeeded in building the reverse proxy with OpenSSL support. I managed to bypass errors, such as envoyproxy/envoy-build-ubuntu not having exported the path to clang and some "missing" folders but I always end up with bssl not building.

What is the proper build environment/container for this project?

Here's a high-level roadmap for the project.

• Make boringssl-based TLS extensions fully unpluggable
  • envoyproxy/envoy#7377
• Move TLS extensions into envoy-openssl
  • https://github.com/Maistra/envoy-openssl/tree/maistra-0.12
  • https://github.com/rojkov/envoy-openssl/tree/openssl-as-3d-party-extension
• Convert the crypto library, etc. to an extension and implement one based on OpenSSL
  • envoyproxy/envoy#7344
• Implement OpenSSL patches for jwt-verify, quiche, etc.
  • https://github.com/bdecoste/jwt_verify_lib
  • https://github.com/rojkov/envoy-openssl/blob/openssl-as-3d-party-extension/jwt_verify-make-compatible-with-openssl.patch (preferred pattern)
• Implement a build and test pipeline which is triggered on commits into the main envoy project
  • Pull latest Envoy before building
• Implement tests in the main envoy project to prevent spillage of SSL related code into classes which don't have proper SSL abstractions/extension mechanisms

/cc @envoyproxy/openssl-dev

Feel free to add/edit.

The build fails for me early on due to:

WARNING: Download from https://github.com/unicode-org/icu/archive/release-64-2.tar.gz failed: class com.google.devtools.build.lib.bazel.repository.downloader.UnrecoverableHttpException Checksum was 65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a but wanted 524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05 ERROR: An error occurred during the fetch of repository 'org_unicode_icuuc': java.io.IOException: Error downloading [https://github.com/unicode-org/icu/archive/release-64-2.tar.gz] to /home/carmiac/.cache/bazel/_bazel_carmiac/2f6c9d8c4610bca649831f6411514c8c/external/org_unicode_icuuc/release-64-2.tar.gz: Checksum was 65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a but wanted 524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05 ERROR: /home/carmiac/.cache/bazel/_bazel_carmiac/2f6c9d8c4610bca649831f6411514c8c/external/com_googlesource_googleurl/url/BUILD:6:11: @com_googlesource_googleurl//url:url depends on @org_unicode_icuuc//:common in repository @org_unicode_icuuc which failed to fetch. no such package '@org_unicode_icuuc//': java.io.IOException: Error downloading [https://github.com/unicode-org/icu/archive/release-64-2.tar.gz] to /home/carmiac/.cache/bazel/_bazel_carmiac/2f6c9d8c4610bca649831f6411514c8c/external/org_unicode_icuuc/release-64-2.tar.gz: Checksum was 65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a but wanted 524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05 ERROR: Analysis of target '//:envoy' failed; build aborted: Analysis failed

What is the current status of this repo? I see recent commits, but is this library ready to be used? If not, what are the gaps? How can I monitor progress (team meeting link is private)

Which verison of OpenSSL will have QUIC support?

https://youtu.be/cdb7M37o9sU

RHEL 9 releases with OpenSSL 3.0.0 and we need a sanity check to look for conflicts

The bssl-compat/patch/ directory contains manually maintained patch files that get applied to BoringSSL headers and sources that we copy into the build.

This issue should add a target o the cmake build system that will update those patch files.

As title ,
Does anyone can help give some comments for this OpenSSL 3.0 support in envoy-openssl ? And also did this project support the FIPS140-3 already ?

The current Azure Pipeline configuration only runs the verify step. The build and test steps have been disabled as they reference dependencies incorrectly.

The right solution is to use the Envoy Docker CI image to run these steps. This again needs some work in getting the build to refer to the correct OpenSSL files.

• 24-hour embargo, self-merge OK

The prefixer is failing to identify some functions as being prefixable, so it's not generating the lookup, function pointer and wrapper function for them.

e.g. ASN1_IA5STRING_new()

currently we plan to use the envoyproxy/envoy-openssl repository.

• Classes we will own for OpenSSL (tls/extensions folders)
• Library Code (wrappers, abstractions)
• Build Related files (patches/build scripts to automate releases)
• Documentation ( build instructions in README.md, release information)
• maintain analysis.md
• CONTRIBUTING.md

envoy-openssl hasn't had a check-in in over 2 years; there is probably much to learn from what's gone before, and yet we would like to start fresh.

• archive legacy code in a branch so we can continue to refer to it.
• rebase envoyproxy/envoy-openssl/source/extensions to v 1.22
• establish contributing guidelines, document in CONTRIBUTING.md

Hi All,

We are facing build issue on s390x and please find the below error and we faced this while building "bssl-compat".
Let me know if we have any s390x specific build steps.

[  3%] Building CXX object CMakeFiles/utests-boring.dir/source/test/test_x509.cc.o
In file included from /root/envoy-openssl/bssl-compat/source/test/test_x509.cc:7:
/root/envoy-openssl/bssl-compat/build/source/crypto/test/test_util.h:29:10: fatal error: '../internal.h' file not found
#include "../internal.h"
         ^~~~~~~~~~~~~~~
1 error generated.
make[2]: *** [CMakeFiles/utests-boring.dir/build.make:384: CMakeFiles/utests-boring.dir/source/test/test_x509.cc.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:168: CMakeFiles/utests-boring.dir/all] Error 2
make: *** [Makefile:146: all] Error 2

envoy-openssl has been dormant for 2 years; this is to revive the project disciplines

• create & configure github project
• label legacy issues & park them for review
• add issues & create kb cards from design doc
• invite team members to assign themselves
• associate first tranche of tasks to milestone 1

New use cases that do not have tests

Testing

• Can we leverage upstream tests.
• Increase test granularity.
• Comprehensive test coverage.

Building

• Necessary git hub actions
• Automated ASAN, integrity checks.

• note out to everyone w a deadline to make comments
• incorporate 1st part of design in 1st milestone of project document
• collect & incorporate comments
• memorialize in DESIGN.md

reworked bssl-wrapper without bazel using CMake to serve as the starting point for the compatibility library work put on github