WL#8998: Migrate away from yaSSL
Affects: Server-8.0 — Status: Complete
yaSSL is not actively supported and lacks support for modern features e.g. TLS 1.2. However we still want the wolfSSL as an option for community users who can/will build MySQL themselves. This is a worklog to remove yaSSL and provide support to building against wolfSSL while keeping the openSSL support intact.
* FRQ1: all currently passing tests in yaSSL compiled binaries should keep working * FRQ2: TLS 1.2 should work as it does for the openSSL library * FRQ3: no new dependencies should be added to neither the client nor the servers as a result of migration to wolfSSL
This is to migrate away from yaSSL to the wolfSSL library. Reasons: * yaSSL does not support TLS 1.2 * yaSSL is slow (single global mutex) * yaSSL does not support certificate/key generation * yaSSL is not maintained regularly and is used only by MySQL * yaSSL's openssl API layer is very poor and does not expose the functionality the library has Scope of the worklog This worklog will replace yaSSL with *functionally equivalent* wolfSSL library. *NO new functionality* will be added as a result except for TLS 1.2. The rest of the new features wolfSSL has will be provided to MySQL via separate worklogs. WolfSSL for MySQL will be compiled differently from the standalone wolfSSL library. This is needed according to the wolfSSL developers. So, at least initially dynamic linking to the wolfSSL library in some distros will *not* be supported. The version of WolfSSL is as provided by the wolfSSL developers. We leave to them to decide what version to use. WolfSSL also has a much richer openSSL emulation API layer. Thus the yaSSL/wolfSSL specific code will be removed as much as possible and we will fully rely on the openSSL APIs (as emulated by wolfSSL). With the future goal of one day doing no wolfSSL specific calls.
See also https://bugs.mysql.com/20040 Note: this worklog will push the changes to 8.0 and trunk only. Bugs reported to wolfSSL on wolfssl-3.12.0: * https://wolfssl.zendesk.com/hc/en-us/requests/3199: Bug in Wolfssl 3.12.0: MAX_TIME_STRING_SZ too short so wolfSSL_ASN1_TIME_print does not print the timezone * https://wolfssl.zendesk.com/hc/en-us/requests/3155: I believe I've found a bug in wolf 3.12 main.ssl_8k_key is failing * https://wolfssl.zendesk.com/hc/en-us/requests/3200: wolfssl 3.12.0 compilation problem on windows with mysql: wolfssl's wolfssl/io.h shadows the system io.h header * https://wolfssl.zendesk.com/hc/en-us/requests/3202: wolfssl 3.12.0 missing function ERR_peek_error * https://wolfssl.zendesk.com/hc/en-us/requests/3203: wolfssl 3.12.0 missing function: ASN1_TIME_print * https://wolfssl.zendesk.com/hc/en-us/requests/3204: wolfssl 3.12.0 missing functions: PEM_read_RSA_PUBKEY, PEM_read_mem_RSA_PUBKEY and PEM_read_RSAPrivateKey * https://wolfssl.zendesk.com/hc/en-us/requests/3205: wolfssl 3.12.0 bug: mysql client tools cause a crash when trying to clean up properly * https://wolfssl.zendesk.com/hc/en-us/requests/3206: wolfssl-3.12.0 bug: tls 1.1 clients can't connect to tls 1.2 servers * https://wolfssl.zendesk.com/hc/en-us/requests/3207: wolfssl 3.12.0 redefines a number of standard defines that collide with mysql code identifiers * https://wolfssl.zendesk.com/hc/en-us/requests/3208: wolfssl 3.12.0: Solaris Sparc (but not x86) has a compile error Consider closing bug #26954626 too.
Copyright (c) 2000, 2023, Oracle Corporation and/or its affiliates. All rights reserved.