gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:01:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bba425393b8b312e55e102f16244d6f56c810e11
certctl/deploy/test/libest
T
History
shankar0123 bba425393b fix(deploy/test/libest): switch base bookworm-slim → bullseye-slim 
libest r3.2.0 (last upstream commit 2020-07-06) was authored against
OpenSSL 1.1.x and binutils ≤ 2.35. It does NOT build on the bookworm
toolchain for THREE independent reasons surfaced by ci-pipeline-cleanup
Phase 8's Docker build smoke (CI run 25192994486):

  1. FIPS_mode / FIPS_mode_set undefined references
     OpenSSL 3.0 removed these. libest r3.2.0 calls them in 5 places
     (est_client.c × 3, est_server.c × 1, estclient.c × 1).
     Even libest 'main' branch still uses them without OPENSSL_VERSION
     guards, so we can't escape this by bumping LIBEST_REF.

  2. e_ctx_ssl_exdata_index multiple definition
     est_locl.h:593 declares the symbol without 'extern', so every
     translation unit including the header gets its own definition.
     binutils 2.36+ defaults to -fno-common which refuses this; older
     binutils tolerated it. Fix is on libest main but not in r3.2.0.

  3. ossl_dump_ssl_errors duplicate symbol
     Symbol exists in both libest src + example/client/utils.c —
     same -fno-common shape.

debian:bookworm-slim ships OpenSSL 3.0 + binutils 2.40 — three for three.
debian:bullseye-slim ships OpenSSL 1.1.1n + binutils 2.35.2 — zero for three.

Switching the base eliminates all three errors at once. Both FROM lines
swap (builder + runtime) so the dynamically-linked libssl ABI matches.
Runtime apt: 'libssl3' → 'libssl1.1' for the same reason.

Why this is the proper path, not a band-aid:
- Bullseye is the actual environment libest 3.2.0 was authored against
  (per its configure.ac HAVE_OLD_OPENSSL macro). Bookworm was the wrong
  base for this dep from day 1 of the EST RFC 7030 hardening bundle.
- The libest sidecar runs in a hermetic test environment — not exposed
  to attackers, not shipped in production. OpenSSL 1.1.1 EOL (2023-09)
  is acceptable for a test-only fixture. Production certctl images
  remain on bookworm-slim with OpenSSL 3.0.
- Bullseye support timeline: regular updates until 2026-08, LTS until
  2028-08. Two+ years of runway before the next base bump.

Both FROM lines pinned to debian:bullseye-slim@sha256:1a4701c321b1...
(verified via OCI v2 manifest endpoint 2026-04-30).

Sandbox verification:
  bash scripts/ci-guards/H-001-bare-from.sh    → clean
  bash scripts/ci-guards/digest-validity.sh    → all 16 digests resolve

Cannot verify the actual docker build without docker; if the build
still fails on bullseye, the next layer of fixes is sed-patching the
libest source for the surviving issues (FIPS_mode guards) — but the
toolchain compatibility issue alone explains all three observed errors,
so this should resolve them.
2026-04-30 22:53:32 +00:00
..
Dockerfile
fix(deploy/test/libest): switch base bookworm-slim → bullseye-slim
2026-04-30 22:53:32 +00:00