Rippled does not build with OpenSSL 1.1

[MarkusTeufelberger]

Since a clear set of dependencies is not documented on https://ripple.com/build/rippled-setup/#installing-rippled (and the page linked there - https://wiki.ripple.com/Rippled_build_instructions - has a big warning header and is quite outdated too), I just wanted to bring this to your attention this way, in case someone wants to build against the latest version of OpenSSL. It won't work.

[MarkusTeufelberger]

Ok, I researched a bit more. Apparently the issue is with rippled checking for the "SSL_R_SHORT_READ" error code in https://github.com/ripple/rippled/blob/develop/src/ripple/beast/asio/ssl_error.h#L72. OpenSSL removed this one in openssl/openssl@45f55f6 when it removed SSLv2 support (which is not supported by rippled anyways).

I'm not sure who is responsible for OpenSSL stuff, but probably @nbougalis or @JoelKatz are the ones or at least know who could/should fix this (most likely by removing a bunch of error handling code). Also pinging @vinniefalco, since this is happening in beast code.

This issue seems to affect building rippled with upstream packages on: Fedora rawhide, Debian Stretch and Sid, potentially more (these are just amongst the ones I'm testing).

[JoelKatz]

I wonder if this is the fix:

/** Returns `true` if the error code is a SSL "short read." */
inline
bool
is_short_read(boost::system::error_code const& ec)
{
#ifdef SSL_R_SHORT_READ
    return (ec.category() == boost::asio::error::get_ssl_category())
        && (ERR_GET_REASON(ec.value()) == SSL_R_SHORT_READ);
#else
    return false;
#endif
}

[MarkusTeufelberger]

It definitely is a fix. Personally I would prefer removing code to just ifdefing it away, but it should work.

[MarkusTeufelberger]

Any updates? My distro upgraded to OpenSSL 1.1 and rippled now does not build any more...

[MarkusTeufelberger]

https://github.com/ripple/rippled/blob/develop/src/ripple/basics/impl/make_SSLContext.cpp#L211 refers to SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS and tries to set this flag. It is not used any more since OpenSSL 1.1.1 (according to https://github.com/openssl/openssl/blob/master/include/openssl/ssl3.h#L263) and thus it might be easiest to just remove the problematic call alltogether.

After a quick 'n' dirty ifdef, rippled builds with OpenSSL 1.1 and passes unit tests (except the test case in beast_asio_error_test.cpp which checks for short read detection):

#if OPENSSL_VERSION_NUMBER < 0x10100000L
static
void
info_handler (SSL const* ssl, int event, int)
{
    if ((ssl->s3) && (event & SSL_CB_HANDSHAKE_START))
    {
        if (disallowRenegotiation (ssl, SSL_in_before (ssl)))
            ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
    }
}
#else
static
void
info_handler (SSL const* ssl, int event, int)
{
// empty
}
#endif

[MarkusTeufelberger]

fixed in #2151