Add ability statically link OpenSSL #80380
Conversation
ghost
added
the
community-contribution
|
Tagging subscribers to this area: @agocke, @MichalStrehovsky, @jkotas Issue DetailsThis setup works if I apply this as local customizations, I do not sure that I use OpenSSL in most secure way, I do not competent. This setup and StaticExecutable=true allow package just EXE file + /etc/ssl/certs/ folder in Docker
|
| @@ -87,6 +95,8 @@ The .NET Foundation licenses this file to you under the MIT license. | |||
|
|
|||
| <Exec Command="$(IlcHostPackagePath)/native/src/libs/System.Globalization.Native/local_build.sh $(IlcHostPackagePath)/ $(IntermediateOutputPath)" Condition="'$(StaticICULinking)' == 'true'"/> | |||
|
|
|||
| <Exec Command="$(IlcHostPackagePath)/native/src/libs/System.Security.Cryptography.Native/local_build.sh $(IlcHostPackagePath)/ $(IntermediateOutputPath)" Condition="'$(StaticOpenSslLinking)' == 'true'"/> | |||
There was a problem hiding this comment.
local_build.sh file missing in the PR?
There was a problem hiding this comment.
Oops. But it's the same as in Globalization work basically.
There was a problem hiding this comment.
same as in Globalization
Maybe we should have just one script and pass the library to build as an argument?
|
This change would mean any Microsoft product using aot would have to get a cryptoboard exception. Static linking openssl is arguably rather bad security. So many products out there in routers, IoT devices etc. cannot even manage to update dynamically linked OpenSSL, a static linkage makes its use even more hidden. From a compliance and security PoV if reject this. Has there been a wider discussion I've missed, or is it just this PR? |
|
For perspective why I was adding this change - I was thinking to have application as single EXE file running inside docker containers built from scratch image. If update needed, then docker container recreated. I do not consider that this would be used in different contexts. |
@blowdart That's not correct. This change is not changing any default. The aot build is going to dynamically link openssl by default both before and after this change. This change is adding option to allow statically linking. This is expert-only option. It requires acquiring extra dependencies and it mirrors what we have done for other libraries (ICU). I do not expect that we are going to document this option in official documentation. The community has always been interested having an option to statically linking everything together to build "from scratch" container images, etc. This small change makes this niche scenario a bit easier.
It depends on how you orchestrate your deployment pipeline. If your deployment pipeline fully rebuilds your containers for updates, there is a little difference between dynamic and static linking security-wise. You have to always rebuild your container to pick-up OpenSSL update for both cases. The only difference between these two cases are performance characteristics.
This is follow up on #79498 |
|
Oh dear, ok, then any AOT compiled app which opts-in will need a cryptoboard exception, before or after this sigh Does the documentation call this sort of thing out with a large warning/caveat anywhere? |
src/native/libs/build-local.sh
Outdated
| # The .NET Foundation licenses this file to you under the MIT license. | ||
| # | ||
|
|
||
| # This script is used only for building libSystem.Security.Cryptography.Native.a |
No AOT compiled app shipped by Microsoft should be opting-in into this.
This option is not documented at all today. You have to find in the source. We can certainly add documentation for this with a disclaimer, but it is only going to make the option more discoverable, and I expect that more people will try to use it. |
src/native/libs/build-local.sh
Outdated
| if [ -d "$SHIM_SOURCE_DIR" ]; then | ||
| LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/$TARGET_LIBRARY/build | ||
| mkdir -p "$LOCAL_SHIM_DIR" && cd "$LOCAL_SHIM_DIR" | ||
| if [ $? -ne 0 ]; then echo "build-local.sh::ERROR: Cannot use local build directory"; exit 1; fi |
There was a problem hiding this comment.
Please use the same inline syntax as before for compat. The only change needed was replacement of hardcoded name with $TARGET_LIBRARY.
There was a problem hiding this comment.
Thank you! I copy file from browser instead of file system
|
@kant2002 Could you please mention this next to https://github.com/dotnet/runtime/blob/main/src/coreclr/nativeaot/docs/compiling.md#using-statically-linked-icu and include a large warning/caveat ? |
src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets
Outdated
Show resolved
Hide resolved
|
@jkotas is this wording, okay? |
| ## Using statically linked OpenSSL | ||
| This feature can statically link OpenSSL libraries (such as libssl.a and libcrypto.a) into your applications at build time. | ||
| NativeAOT binaries built with this feature can run even when OpenSSL libraries are not installed. | ||
| **WARNING:** *This is scenario for advanced users, please use with extreme caution. Incorrect usage of this feature, can cause security vulnerabilities in your product* |
| @@ -4,24 +4,25 @@ | |||
| # The .NET Foundation licenses this file to you under the MIT license. | |||
There was a problem hiding this comment.
Executable bit was dropped during the move: chmod +x src/native/libs/build-local.sh
|
@kant2002, did you test it with code calling native API in System.Security.Cryptography and receive (similar to 7646e76#diff-5c4725be11b8ef9741d6dba36be1244424dfcfc951ada9793862f002bcaee808) |
|
I did test in Docker container while making call to https website. https://github.com/kant2002/NativeAOTDocker/tree/main/OpenSslEmbedding I did not test built product, but rather patch existing ILC runtime nuget content. Regarding ignoring opensslshim.c that file included if you build platformagnostic SSL, but I do not specify that define and things starts working. |
|
@kant2002 Could you please resolve the conflict? |
This setup works if I apply this as local customizations, I do not sure that I use OpenSSL in most secure way, I do not competent. This setup and StaticExecutable=true allow package just EXE file + /etc/ssl/certs/ folder in Docker
Co-authored-by: Adeel Mujahid <[email protected]>
…e.Unix.targets Co-authored-by: Adeel Mujahid <[email protected]>
kant2002
force-pushed
the
kant/static-link-openssl
branch
from
35f26b3 to
973e7a3
Compare
Co-authored-by: Adeel Mujahid <[email protected]>
|
Is there an issue associated with this? |
|
@davidfowl Technically no, because it start as experiment to create scratch console app with ICU in #79498 and when I do not receive pushback on the scenario, I decide to make Web site on scratch container, like Go do it. Results is approximately 23MB for If you interested, you can look at results of this experiment here https://github.com/kant2002/NativeAOTDocker |
|
Can you file one? |
This setup works if I apply this as local customizations, I do not sure that I use OpenSSL in most secure way, I do not competent. This setup and StaticExecutable=true allow package just EXE file + /etc/ssl/certs/ folder in Docker