-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use OpenSSL 1.0.2 for Connext on MacOS #436
Conversation
@mikaelarguedas am I correct that this modified version of my branch is using OpenSSL 1.0.2 from Homebrew rather than the one distributed by Connext? I have two concerns if that's the case. First I'm not sure when homebrew will drop that OpenSSL version and second it's not guaranteed that Connext will continue to work with that version rather than the one they distribute. |
Yes
That's a valid concern
I'm not sure I got this concern. the deb of connext is not changing so it will keep supporting it. If Connext version finally gets updated it means we will be able to use 1.1.1 and drop the use of the EOL one. I'm fine using the version provided by RTI as well. I chose to use the homebrew one as this is the only thing that's available on all workers and easily testable for us not managing these machines. I'm 👍 for any approach that gets us to the point where we can test security changes for Foxy |
Looks like Homebrew already dropped |
Testing this with 1 minor tweak to the path and with osrf/homebrew-ros2#8 which has been installed onto mini1. Just |
Test results look ok using osrf/homebrew-ros2#8. @clalancette was asking why roll a homebrew formula instead of use the RTI provided openssl. It seems like there should be some file called @mikaelarguedas @nuclearsandwich @dirk-thomas do you know how to get access to the connext build of OpenSSL 1.0.2? If not, I'm inclined to move forward with osrf/homebrew-ros2#8. |
Yes I believe that's what @nuclearsandwich tried with the first commit of this PR (ros2/system_tests#409 (comment)). But there were still the security failures. As I didnt know which machines had the connext openssl installed, I used the homebrew one because I could see from the job logs that is was installed on all nodes. I do not know where @nuclearsandwich found the rtipkgs for MacOS |
Since ros2/system_tests#409 has been merged I'll install openssl using osrf/homebrew-ros2#8 and set |
Seems the variables in |
I'm guessing that OSRF keeps a local archive of such files, but if you've lost them then you could use the support account that RTI presumably gave to OSRF to download the openssl Two days ago they updated the support portal to rename accounts via |
@ruffsl @mikaelarguedas what generates the
permissions.p7s validity section
Current date on mini1
Is the |
oh this is a new one then. These files are generated by sros2. As the tests were failing before that was merged, I would imagine you'll uncover another failure mode after this one. |
Is there some logic in checking for daylights savings time or leap seconds that is tripping up MacOS? https://www.timeanddate.com/worldclock/converter.html?iso=20200506T193329&p1=tz_pt&p2=1440
The mini1's local clock should read after 12:33pm PDT when the cert is created. |
It probably did read 12:33pm. I would interpret the difference between 13:30 and 12:33 as from the time I ran the build it took 57 minutes until I was ready to write a comment on github.
It works 🎉 All |
@sloretz is this ready for merge then ? or are there some failing tests that arose since? |
I think we could close this one. The OSX machines are setup with the |
That's great news! Do you know when this change is expected to take effect? Apparently the nightlies |
Which nightly has the failing tests? AFAIK all machines are set up this way already. |
Strange, this one happened on mini3, and it looks like it couldn't open
but the |
A while back .bashrc and bash_profile didn't take effect in Jenkins, this is why defining variables in here was needed. Maybe this is still the case. |
@sloretz friendly ping: is there anything we can do to move this forward ? Maybe by installing the openssl 1.0 bottle you built? or by modifying this PR to point the variables to the installation location of RTI's OpenSSL ? |
@jacobperron will pick it up from here |
@jacobperron any update on this ? This seems to still be the source of failing tests. If provided the path to the connext security plugins install location on the macOS machines, I can update this PR to point to it and it should hopefully fix all the failing cc @kyrofa |
@mikaelarguedas Thanks for the bump. It dropped from my radar. I'll take a look today. |
@mikaelarguedas I believe the location of the missing dylib (
|
I gave that a try with f095669. |
@mikaelarguedas I've updated the path to the RTI OpenSSL libraries on lore. Please try again. |
Connext 5.3.1 requires an older version of openssl which is no longer available from the system macOS installation. Connext supplies a compatible openssl distribution and ros2/system_tests#409 sets up a convention for using it only for the security tests which require it when running with Connext. Signed-off-by: Steven! Ragnarök <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
9801505
to
2a0eccd
Compare
Thank you @jacobperron! @mikaelarguedas, thank you for your continued efforts. |
Without this, Connext cannot use the security plugins: ros2/build_farmer#269
Mini2:
Lore:
Mini3:
Not sure what's going on on mini3, It shows the exact same error as the other ones without this patch applied (e.g. nightly on lore https://ci.ros2.org/view/nightly/job/nightly_osx_release/1620/).
it doesn't have the same OpenSSL version as the other ones (1.0.2s vs 1.0.2t), maybe that's part of the reason ?
Tested with #421