Drop mbedTLS (and support BoringSSL (and HTTP/3)) #45856
Comments
Who depends on
|
inkydragon
added
the
external dependencies
|
The simplest thing is keeping mbedTLS (but I understood problematic), at least for now (or only for Julia 1.6 LTS). If there's NO problem keeping it (and neither regarding supporting HTTP/3, which we may want to do somehow), then just close the issue. I assumed BoringSSL ok since lsquic uses. I just wanted to propose an alternative, since I was proposing dropping mbedTLS, and actually OpenSLL is likely back to being the best option (BoringSSL builds on it, may still be an option, quictls, another fork of OpenSLL, may be a better option). https://www.freshports.org/security/openssl-quictls/ Note, I would prefer shipping no TLS/SSL, and just defer to what the operating system provides, which is likely OpenSLL (at least on Linux) or something built into Windows. I don't know exactly what we need from these TLS/SLL libraries (only small part of the API? and thus do not need to worry too much about all the CVEs?). My thinking is, if we have some ancient Julia installed (or PackageCompiler app), is it insecure, even if the operating system is upgraded with its TLS/SLL library, since what the OS provides wouldn't be used? Or vise versa, if the OS is ancient, then if you have more recent Julia (or upgrade), then you might be ok, if you do NOT defer to the OS (but you do on Windows). Could we choose dynamically which is newer, do some projects do that? https://www.openssl.org/policies/releasestrat.html
LibreSLL is no longer supported in Python, and they went back to OpenSLL (and "currently no plans to support BoringSSL"): https://peps.python.org/pep-0644/#libressl-support Swift moved to (or was only considering? note, that's an old RFC) BoringSSL:
I can't quickly see what Go provides. OpenSLL? if anything by default, at least, it's available:
|
Can we replace
|
|
First we want to decide if/how we want to change TLS/SLL lib, e.g. to which (likely OpenSLL, not ruling out HTTP/3 and QUIC, or to a library supporting that right away?), without thinking of an auto-update mechanish. As a follow-up (I'm not sure it influences the decision on what to choose), then consider the auto-update issue I opened (I guess it could be implemented first though, with mbedTLS, but might not be worth it, if we want to migrate later/soon).
I'm not sure that will be possible in the future. HTTP/3 (and HTTP/2 before) drops unencrypted, and (the former TCP). I'm not sure if non-TCP QUIC influences what of/which library we want to migrate to. Still we need to support HTTP/1.1. E.g. for auto-update, you want to send "I'm using Julia 1.6.5, is newer available?", and it's preferable that "dialing in" is in the clear so that people do not get suspicious what's being sent to JuliaLang. I think this can and must still be done with TLS/SLL (just not HTTP/3). Except for such few exceptions, you would want to use encryption always and HTTP/3 (falling back to HTTP/2 or straight to HTTP/1.1, with HTTPS). Certainly encrypted should be the default, and never falling back to unencrytped, that should always be an opt-in (and maybe just not be offered by Julia).
|
|
Rustls also seems like a good choice (robustness and portability), however at the moment it looks like only Curl supports using it as a TLS backend (https://daniel.haxx.se/blog/2021/02/09/curl-supports-rustls/). |
Interesting findings: Rustls -> ring -> BoringSSL |
|
I think that @inkydragon's plan to switch to a mix of native SSL and OpenSSL as laid out in this comment is the way to go. The license situation is that recent OpenSSL is Apache v2, which is incompatible with GPLv2 but compatible with GPLv3+. Fortunately, we don't seem to only have any dependencies in Julia that are incompatible with Apache v2. Indeed, since mbedTLS is also Apache v2, switching to OpenSSL doesn't actually change the license situation at all. |
|
Regarding ABI, there may be some packages out there that rely on Julia shipping mbedTLS, but they really shouldn't and there is an mbedTLS JLL, which is how they should be depending on it. |
|
A pkgeval should catch that, and switching to the JLL should be quite easy. |
As you say, it's not a license change (from MbedTLS), but this would still be a problem for some users... (GPLv2-only vs GPLv2-or-later) unless you depend on OpenSSL of the system (which most or all provide?), the system library GPL exception: https://www.gnu.org/licenses/gpl-faq.html#SystemLibraryException So it's important, is the plan to ship Julia and bundling OpenSSL? An alternative would be e.g. Rustls, if you need to bundle anything..., which is MIT (and Apache). Intriguingly Rustls is the 14th and latest TLS supported by curl:
Is the plan to support (of those) only 3. TLS (plus what Julia already needs), or also 5. HTTP/3? Going forward, could the stuff bundled with Julia only support what's needed for Julia (i.e. Pkg) itself, and could it use HTTP/3, and drop TCP support? |
Technically this is possible, but we may need to create two new packages, LibCurl4Julia_jll.jl and LibCurl4Julia.jl, in order to include only the functionality needed by julia. But will there be a shared library conflict or symbol conflict if one loads both LibCurl4Julia.jl and LibCURL.jl? |
|
Julia was switched from mbedTLS to OpenSSL: #56708 |
I understand mbedTLS is problematic, and since this HTTP/3 (and QUIC) library (which we likely want to support anyway) uses BoringSSL, I think it might be a good replacement:
https://github.com/litespeedtech/lsquic
Actually I think BoringSSL should be in an external JLL package, will not be needed by Julia (only Pkg), so the main message is dropping mbedTLS (that's also an unneeded dependency).
[Note, HTTP/3 is already a standard, and the standard to support, much faster, doesn't use TCP. Might also be very helpful for Pkg? Is when downloading many streams.]
The text was updated successfully, but these errors were encountered: