Skip to content

OpenSSL integration#86

Open
ctz wants to merge 3 commits into
mainfrom
jbp-openssl
Open

OpenSSL integration#86
ctz wants to merge 3 commits into
mainfrom
jbp-openssl

Conversation

@ctz
Copy link
Copy Markdown
Member

@ctz ctz commented Mar 3, 2026
edited
Loading

This is ready for review. I am working ahead from here on a curl integration (mainly build system work!) so won't merge this until that proves this out fully.

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Mar 3, 2026
edited
Loading

Merging this PR will not alter performance

✅ 4 untouched benchmarks

Comparing jbp-openssl (afe9559) with main (00e16fb)

Open in CodSpeed

@ctz
Copy link
Copy Markdown
Member Author

ctz commented Mar 5, 2026
edited
Loading

Kinda works though:

$ export LD_PRELOAD=./libupkiopenssl-preload.so

curl:

$ curl https://certdemo-dv-revoked-rsa.tls.d-trust.net/
curl: (60) SSL certificate problem: certificate revoked
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

python:

$ python -c "import urllib.request; print(urllib.request.urlopen('https://certdemo-dv-revoked-rsa.tls.d-trust.net/').read())"
Traceback (most recent call last):
  File "/usr/lib/python3.12/urllib/request.py", line 1344, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
(... world's largest stack trace ...)
  File "/usr/lib/python3.12/urllib/request.py", line 1392, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/urllib/request.py", line 1347, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1000)>

openssl CLI:

$ openssl s_client -connect certdemo-dv-revoked-rsa.tls.d-trust.net:443 -verify_return_error | tail
8097F182FC6F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1889:
Verification error: certificate revoked
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 23 (certificate revoked)
---

@ctz ctz force-pushed the jbp-openssl branch 2 times, most recently from 5243c3a to e7c46ba Compare April 9, 2026 20:33
@ctz ctz force-pushed the jbp-openssl branch 3 times, most recently from 9eb4a8d to f7fb11b Compare April 23, 2026 11:52
@ctz
Copy link
Copy Markdown
Member Author

ctz commented Apr 23, 2026

I've moved this along a bit, and I think it is now robust. I've dropped the preload commit for now. The remaining work here is around testing, as currently the new artifact libupkiopenssl.so is entirely untested.

@ctz ctz force-pushed the jbp-openssl branch 6 times, most recently from 9dc4ef0 to e6f0931 Compare May 11, 2026 16:32
@ctz ctz force-pushed the jbp-openssl branch 2 times, most recently from b9127a7 to 2295a98 Compare May 12, 2026 15:19
@ctz ctz requested a review from djc May 12, 2026 19:49
@ctz ctz marked this pull request as ready for review May 12, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc Awaiting requested review from djc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ctz