aws/aws-encryption-sdk-c

Windows download issue with OpenSSL

m-laken opened this issue · 6 comments

Hello!

TLTR, my main question is :
Is the SDK compatible with OpenSSL 3.x.x, if not, is it going to be compatible ? I'm asking because OpenSSL 1.1.x End Of Life is in September 2023, and I could not make the sdk work with OpenSSL 3.x.x.

Details & additional issues :
I started yesterday to implement the SDK following the Windows instructions, but I run into several issues, mainly related to OpenSSL. I'm sharing here the errors I had, the solutions I may have found and the questions I have.

OpenSSL 3

The documentation said "OpenSSL 1.0.2 or newer, or 1.1.0 or newer".
I now suppose this line means that OpenSSL 3.x.x is not compatible, but I tried anyway with the 3.x.x version and I got errors like this :

C:\DATA\aws-encryption-sdk-c\source\cipher_openssl.c(102,13): warning C4996: 'EVP_PKEY_get0_EC_KEY': Since OpenSSL 3.0 [C:\DATA\aws-encryption-sdk-c-build\Release\aws-encryption-sdk.vcxproj]

1) Is OpenSSL 3.x.x supposed to be compatible? If yes, I cannot build the solution because the warning is considered as an error.

2) If it's not suppose to be compatible, using the vcpkg current version won't work because "vcpkg install curl:x64-windows openssl:x64-windows" installs the 3.x.x version of OpenSSL.

3) OpenSSL 1.1.1 End of life is in September 2023. Is it in the roadmap to be compatible with OpenSSL 3.x.x ? I'm using the SDK for production code, and this may prevent me to use the SDK.

OpenSSL 1.1

So I tried using OpenSSL 1.1.1u instead, using
-DBUILD_AWS_ENC_SDK_CPP=ON -DOPENSSL_ROOT_DIR="C:/DATA/openssl-1.1.1u-build/openssl-1.1/x64" -DOPENSSL_INCLUDE_DIR="C:/DATA/openssl-1.1.1u-build/openssl-1.1/x64/include" -DOPENSSL_LIBRARIES="C:/DATA/openssl-1.1.1u-build/openssl-1.1/x64/lib"

instead of
-DCMAKE_TOOLCHAIN_FILE="C:\DATA\vcpkg\scripts\buildsystems\vcpkg.cmake"

Then I had this error :

C:\DATA\aws-encryption-sdk-c\source\cipher_openssl.c(646,18): error C2220: the following warning is treated as an error [C:\DATA\aws-encryption-sdk-c-build\Release\aws-encryption-sdk.vcxproj]
C:\DATA\aws-encryption-sdk-c\source\cipher_openssl.c(646,18): warning C4013: 'BN_clear_free' undefined; assuming extern returning int [C:\DATA\aws-encryption-sdk-c-build\Release\aws-encryption-sdk.vcxproj]

To fix it I added #include <openssl/bn.h> to cipher_openssl.c. But that does not feel right that I needed to do that.

4) Is my fix alright ? is it a problem with my OpenSSL version ?

Other issues

This is just for information. I don't know if those errors are related to a bad set up on my side or not.

When building, I had this error :
AWS SDK for C++ headers found, but we were unable to locate the binaries.

So in CMakeCache.txt , I replaced AWSSDK_CORE_LIB_FILE:FILEPATH value with this :
AWSSDK_CORE_LIB_FILE:FILEPATH=C:/DATA/aws-sdk-cpp-build/Release/src/aws-cpp-sdk-core/Release/aws-cpp-sdk-core.lib

Finally I had this error, but I just ignored it, because the sdk worked.

C:\DATA\aws-encryption-sdk-c\tests\integration\t_local_cache_threading.c(92,27): error C2065: 'CRYPTO_LOCK': undeclared identifier [C:\DATA\aws-encryption-sdk-c-build\Rel
ease\tests\test_local_cache_threading.vcxproj]
C:\DATA\aws-encryption-sdk-c\tests\integration\t_local_cache_threading.c(105,28): warning C4013: 'ERR_load_crypto_strings' undefined; assuming extern returning int [C:\DA
TA\aws-encryption-sdk-c-build\Release\tests\test_local_cache_threading.vcxproj]

Thanks a lot for any help/advice/insight !

any plans to support OpenSSL 3?

Thank you for bringing this to our attention.
Publishing instructions for building the ESDK-C with OpenSSL-3.x is on our roadmap.
Keep an eye on this issue for updates.

m-laken,

We've created the branch "silence-deprecation-warnings" which no longer reports errors for use of deprecated APIs.

This should be all that is needed for OpenSSL3 to work on Windows.

Would you be willing to try this branch in your local environment, and let me know if it meets all of your needs?

Hi ajewellamz,

I tried the branch, with aws-sdk-cpp commit a4fccfa1 (JUL 2023), OpenSSL 3.1.2 (AUG 2023) and aws-encryption-sdk commit 4b3c1a4 (silence-deprecation-warnings).
(I have an older version of aws-sdk-cpp because the newest one generates telemetry errors in my project)

I no longer had an issue building with OpenSSL 3, but I still had to manually replace AWSSDK_CORE_LIB_FILE:FILEPATH in CMakeCache.txt.

When running my project, I had the error “the code execution cannot proceed because libcrypto-3-x64.dll was not found”, so I added it manually to my project. I don’t know it is related to the SDK or to the OpenSSL version that I downloaded from firedaemon.

But in the end, it worked !

Edit : Additional question, is it in the roadmap to replace the deprecated functions with supported equivalents ?

Thank you for working on this.

Yes, it is in the roadmap to replace the deprecated functions with supported equivalents.

eommc commented

Hello. I'm adding another detail to the discussion.

Among the Linux OS flavors that can be used on AWS for new instances, Ubuntu 22.04, Red Hat 9, Debian 12 are shipping OpenSSL 3 by default. They also provide OpenSSL 1.1.1 for backward compatibility. However, when we start using the new version in our code and its other dependencies, we cannot mix multiple versions in the same product.