Skip to content

Ensure openssl 3.0 compatibility of released packages #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wprzytula merged 9 commits into from
Jun 16, 2026
Merged

Ensure openssl 3.0 compatibility of released packages #476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a4bdcd8
makefile: fix BUILD_DIR quoting
wprzytula Jun 10, 2026
c4f13b4
makefile: extract OPENSSL_WIN_VERSION variable
wprzytula Jun 10, 2026
8503516
makefile: add zlib-devel to RPM container deps
wprzytula Jun 10, 2026
ded6918
cmake: add comments and vertical indentation
wprzytula Jun 10, 2026
8648a4e
register transitive deps for CMake consumers
wprzytula Jun 9, 2026
7247284
static linking: publish transitive deps in .pc
wprzytula Jun 16, 2026
3dab115
ci: verify static driver links against OpenSSL 3.0
wprzytula Jun 15, 2026
5cd2e0c
build: generate BUILD_INFO on every build
wprzytula Jun 16, 2026
3a9d388
packaging: include BUILD_INFO in dev package
wprzytula Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/build-cpack-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ jobs:
- name: Build and test DEB packages
run: make test-package-deb

- name: Verify static driver links against OpenSSL 3.0 (issue #455)
run: make verify-openssl-3.0-compat

- name: Collect artifacts
if: inputs.save-artifacts
run: make collect-package-artifacts
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/build-lint-and-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ jobs:
id: build-integration-test-bin
run: make build-integration-test-bin

- name: Verify static driver links against OpenSSL 3.0 (issue #455)
run: make verify-openssl-3.0-compat

- name: Save integration test binary
uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
id: save-integration-test-bin
Expand Down
50 changes: 47 additions & 3 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,10 +193,11 @@ endif
FULL_RUSTFLAGS := --cfg scylla_unstable --cfg cpp_integration_testing

CURRENT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
BUILD_DIR := "${CURRENT_DIR}build"
BUILD_DIR := $(CURRENT_DIR)build
INTEGRATION_TEST_BIN := ${BUILD_DIR}/cassandra-integration-tests
CMAKE_FLAGS ?=
CMAKE_BUILD_TYPE ?= Release
OPENSSL_WIN_VERSION ?= 1.1.1u

ifeq ($(OS_TYPE),macos)
CMAKE_INSTALL_PREFIX ?= /usr/local
Expand Down Expand Up @@ -274,6 +275,49 @@ build-integration-test-bin-if-missing:
@cd "${BUILD_DIR}"
cmake -DCASS_BUILD_INTEGRATION_TESTS=ON -DCMAKE_BUILD_TYPE=Release .. && (make -j 4 || make)

# =============================================================================
# OpenSSL 3.0 Compatibility Verification
# =============================================================================
# Regression test for issue #455: ensures the static driver archive can link
# against OpenSSL 3.0 (our minimum supported version). Rather than rebuilding
# from source, this target uses the artifact already produced by the default
# build (which enables both shared and static). If the archive references
# symbols only available in OpenSSL >3.0 (e.g. due to build environment
# contamination), the link fails.
#
# This target is Linux/amd64-only (matches our release artifact platform).
# =============================================================================

OPENSSL_3_0_COMPAT_SYSROOT := /tmp/openssl-3.0-compat-sysroot
OPENSSL_3_0_LIBSSL_DEV_URL := https://launchpad.net/ubuntu/+archive/primary/+files/libssl-dev_3.0.2-0ubuntu1_amd64.deb
OPENSSL_3_0_LIBSSL_DEV_SHA256 := f3671a9f01aa92928db200b3d28f1acb782366882fe318a940649bd02363ceb6
OPENSSL_3_0_LIBSSL_DEV_PATH := /tmp/libssl-dev_3.0.2.deb

Comment thread
wprzytula marked this conversation as resolved.
verify-openssl-3.0-compat:
@echo "=== Verifying static driver links against OpenSSL 3.0 (issue #455) ==="
rm -rf "$(OPENSSL_3_0_COMPAT_SYSROOT)"
DESTDIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" cmake --install "$(BUILD_DIR)"
curl -fL -o "$(OPENSSL_3_0_LIBSSL_DEV_PATH)" "$(OPENSSL_3_0_LIBSSL_DEV_URL)"
echo "$(OPENSSL_3_0_LIBSSL_DEV_SHA256) $(OPENSSL_3_0_LIBSSL_DEV_PATH)" | sha256sum --check
dpkg-deb -x "$(OPENSSL_3_0_LIBSSL_DEV_PATH)" "$(OPENSSL_3_0_COMPAT_SYSROOT)"
rm -f "$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/libssl.so"
rm -f "$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/libcrypto.so"
PKG_CONFIG_SYSROOT_DIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" \
PKG_CONFIG_PATH="$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/local/lib/x86_64-linux-gnu/pkgconfig:$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/pkgconfig" \
pkg-config --libs --static scylladb_static
cc \
$$(PKG_CONFIG_SYSROOT_DIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" \
PKG_CONFIG_PATH="$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/local/lib/x86_64-linux-gnu/pkgconfig:$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/pkgconfig" \
pkg-config --cflags scylladb_static) \
examples/ssl/ssl.c \
$$(PKG_CONFIG_SYSROOT_DIR="$(OPENSSL_3_0_COMPAT_SYSROOT)" \
PKG_CONFIG_PATH="$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/local/lib/x86_64-linux-gnu/pkgconfig:$(OPENSSL_3_0_COMPAT_SYSROOT)/usr/lib/x86_64-linux-gnu/pkgconfig" \
pkg-config --libs --static scylladb_static) \
-o /tmp/openssl-3.0-compat-link-test
@echo "=== OpenSSL 3.0 compatibility verified ==="
rm -rf "$(OPENSSL_3_0_COMPAT_SYSROOT)" \
"$(OPENSSL_3_0_LIBSSL_DEV_PATH)" /tmp/openssl-3.0-compat-link-test

build-examples:
@echo "Building examples to ${EXAMPLES_DIR}"
@mkdir "${BUILD_DIR}" >/dev/null 2>&1 || true
Expand Down Expand Up @@ -345,7 +389,7 @@ endif

.package-configure: .package-build-prepare
ifeq ($(OS_TYPE),windows)
cmake -S . -B build -G "Visual Studio 17 2022" -A x64 -DCMAKE_BUILD_TYPE=$(CMAKE_BUILD_TYPE) -DOPENSSL_VERSION=1.1.1u $(CMAKE_FLAGS)
cmake -S . -B build -G "Visual Studio 17 2022" -A x64 -DCMAKE_BUILD_TYPE=$(CMAKE_BUILD_TYPE) -DOPENSSL_VERSION=$(OPENSSL_WIN_VERSION) $(CMAKE_FLAGS)
else
cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=$(CMAKE_BUILD_TYPE) -DCMAKE_INSTALL_PREFIX=$(CMAKE_INSTALL_PREFIX) $(CMAKE_FLAGS)
endif
Expand Down Expand Up @@ -559,7 +603,7 @@ test-package-rpm: build-package
fedora:latest \
bash -c ' \
set -euo pipefail; \
dnf -y install make cmake gcc-c++ findutils rpm-build createrepo_c; \
dnf -y install make cmake gcc-c++ findutils rpm-build zlib-devel createrepo_c; \
$(MAKE) -C $(SMOKE_TEST_DIR) verify-driver-dev-rpm; \
$(MAKE) -C $(SMOKE_TEST_DIR) remove-driver-dev-rpm || true; \
$(MAKE) -C $(SMOKE_TEST_DIR) remove-driver-rpm || true; \
Expand Down
175 changes: 175 additions & 0 deletions ci/generate-build-info.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
#!/usr/bin/env bash
# Generate BUILD_INFO metadata file capturing the build environment.
# Usage: ci/generate-build-info.sh <output-path>
#
# The script degrades gracefully: fields that cannot be determined are
# printed as "unknown". If bash is not available, CMake will skip this
# step without failing the build (see CMakeLists.txt).

set -euo pipefail

OUTPUT="${1:?Usage: $0 <output-path>}"
BUILD_DIR="$(cd "$(dirname "$OUTPUT")" && pwd)"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SOURCE_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"

# --- Helpers ---

cmake_cache_get() {
local key="$1"
local cache="$BUILD_DIR/CMakeCache.txt"
if [ -f "$cache" ]; then
grep "^${key}:" "$cache" 2>/dev/null | cut -d= -f2- || echo "unknown"
else
echo "unknown"
fi
}

# --- Driver version ---

VERSION=$(cd "$SOURCE_DIR" && git describe --tags --always 2>/dev/null || echo "unknown")

# --- Platform ---

ARCH=$(uname -m 2>/dev/null || echo "unknown")
KERNEL=$(uname -r 2>/dev/null || echo "unknown")

case "${OSTYPE:-}" in
linux-gnu*|linux*)
if [ -f /etc/os-release ]; then
OS=$(. /etc/os-release && echo "${PRETTY_NAME:-unknown}")
else
OS="Linux (unknown distro)"
fi
GLIBC=$(ldd --version 2>/dev/null | head -1 | grep -oE '[0-9]+\.[0-9]+$' || echo "unknown")
;;
darwin*)
OS="macOS $(sw_vers -productVersion 2>/dev/null || echo unknown)"
GLIBC="N/A"
;;
msys*|cygwin*|mingw*)
OS="Windows"
GLIBC="N/A"
;;
*)
OS="unknown (${OSTYPE:-not set})"
GLIBC="unknown"
;;
esac

# --- Toolchain ---

RUST_VERSION=$(rustc --version 2>/dev/null || echo "unknown")
CARGO_VERSION=$(cargo --version 2>/dev/null || echo "unknown")
CMAKE_VERSION_STR=$(cmake --version 2>/dev/null | head -1 || echo "unknown")
CC_VERSION=$(${CC:-cc} --version 2>/dev/null | head -1 || echo "unknown")

# --- OpenSSL (from openssl-sys build script output) ---

OPENSSL_SYS_OUTPUT=""
# The output file is at target/<profile>/build/openssl-sys-<hash>/output
# Search within the cargo target directory used by this build.
CARGO_TARGET_DIR=$(cmake_cache_get "CARGO_TARGET_DIR")
if [ "$CARGO_TARGET_DIR" = "unknown" ] || [ ! -d "$CARGO_TARGET_DIR" ]; then
# Fallback: search in the standard location
CARGO_TARGET_DIR="$SOURCE_DIR/scylla-rust-wrapper/target"
fi
if [ -d "$CARGO_TARGET_DIR" ]; then
OPENSSL_SYS_OUTPUT=$(find "$CARGO_TARGET_DIR" -path "*/openssl-sys-*/output" -type f 2>/dev/null | head -1)
fi

if [ -n "$OPENSSL_SYS_OUTPUT" ] && [ -f "$OPENSSL_SYS_OUTPUT" ]; then
OPENSSL_VERSION_HEX=$(grep "^cargo:version_number=" "$OPENSSL_SYS_OUTPUT" | cut -d= -f2 || echo "")
OPENSSL_INCLUDE=$(grep "^cargo:include=" "$OPENSSL_SYS_OUTPUT" | cut -d= -f2 || echo "unknown")
OSSLCONF_FLAGS=$(grep "^cargo:rustc-cfg=osslconf=" "$OPENSSL_SYS_OUTPUT" | sed 's/cargo:rustc-cfg=osslconf="\(.*\)"/\1/' | paste -sd ' ' || echo "none")

# Quoting from openssl docs:
# > A build script can be used to detect the OpenSSL or LibreSSL version at compile time if needed. The `openssl-sys`
# > crate propagates the version via the `DEP_OPENSSL_VERSION_NUMBER` and `DEP_OPENSSL_LIBRESSL_VERSION_NUMBER`
# > environment variables to build scripts. The version format is a hex-encoding of the OpenSSL release version:
# > `0xMNNFFPPS`. For example, version 1.0.2g’s encoding is `0x1_00_02_07_0`.
#
# However, OpenSSL 3.x changed the displaying, while encoding is still the same.
# - In version 1.2.3.c, 3 was Fix and c was Patch.
# - In version 3.2.1, 3 is Patch and Fix is not present (0).
# We're only interested in OpenSSL 3+, so we can assume the version is in the Major.Minor.Patch format.
if [ -n "$OPENSSL_VERSION_HEX" ]; then
dec=$((16#$OPENSSL_VERSION_HEX))
major=$(( (dec >> 28) & 0xF ))
minor=$(( (dec >> 20) & 0xFF ))
patch=$(( (dec >> 4) & 0xFF ))
OPENSSL_VERSION="${major}.${minor}.${patch}"
Comment thread
coderabbitai[bot] marked this conversation as resolved.
else
OPENSSL_VERSION="unknown"
fi
else
OPENSSL_VERSION=$(pkg-config --modversion openssl 2>/dev/null || echo "unknown")
OPENSSL_INCLUDE=$(pkg-config --variable=includedir openssl 2>/dev/null || echo "unknown")
OSSLCONF_FLAGS="unknown (openssl-sys build output not found)"
fi

# --- Build configuration (from Cargo.toml) ---

CARGO_TOML="$SOURCE_DIR/scylla-rust-wrapper/Cargo.toml"
if [ -f "$CARGO_TOML" ]; then
LTO=$(grep "^lto" "$CARGO_TOML" | head -1 | sed 's/.*=[ ]*//' | tr -d '"' || echo "unknown")
PANIC=$(grep "^panic" "$CARGO_TOML" | head -1 | sed 's/.*=[ ]*//' | tr -d '"' || echo "unknown")
else
LTO="unknown"
PANIC="unknown"
fi

# --- CMake options ---

CMAKE_BUILD_TYPE=$(cmake_cache_get "CMAKE_BUILD_TYPE")
CMAKE_INSTALL_PREFIX=$(cmake_cache_get "CMAKE_INSTALL_PREFIX")
CASS_BUILD_SHARED=$(cmake_cache_get "CASS_BUILD_SHARED")
CASS_BUILD_STATIC=$(cmake_cache_get "CASS_BUILD_STATIC")

# --- Write output ---

cat > "$OUTPUT" <<EOF
Build Information for scylla-cpp-driver $VERSION

Platform
--------
OS: $OS
Architecture: $ARCH
Kernel: $KERNEL
glibc: $GLIBC

Toolchain
---------
Rust: $RUST_VERSION
Cargo: $CARGO_VERSION
CMake: $CMAKE_VERSION_STR
CC: $CC_VERSION

OpenSSL (detected by openssl-sys at build time)
------------------------------------------------
Version: $OPENSSL_VERSION
Include path: $OPENSSL_INCLUDE
Disabled (osslconf): ${OSSLCONF_FLAGS:-none}

Build Configuration
-------------------
CMAKE_BUILD_TYPE: $CMAKE_BUILD_TYPE
CMAKE_INSTALL_PREFIX: $CMAKE_INSTALL_PREFIX
CASS_BUILD_SHARED: $CASS_BUILD_SHARED
CASS_BUILD_STATIC: $CASS_BUILD_STATIC
LTO: $LTO
Panic strategy: $PANIC

Static Library Compatibility Notes
----------------------------------
The static archive (libscylladb_static.a) requires consumers to
provide OpenSSL >= 3.0 at link time. The minimum OpenSSL version
is determined by the build-time detection performed by the
openssl-sys crate.

Consumers linking on systems with a different OpenSSL configuration
(e.g. different osslconf flags) may encounter undefined symbol errors
for conditionally-compiled functions.
EOF

echo "Generated: $OUTPUT"
Loading
Loading