chore(crypto): upgrade OpenSSL to 3.x#208
Conversation
NaeemKK
requested review from
cleithner-comcast,
kfundecmcsa,
mkkoch,
rchowdcmcsa and
tleacmcsa
as code owners
There was a problem hiding this comment.
Pull request overview
This PR updates BartonCore’s build/container setup to stop wiring in a custom OpenSSL 1.1.1 build and instead rely on system OpenSSL with a minimum supported version of 3.0.5, aligning OpenSpec requirements and build-time dependency checks accordingly.
Changes:
- Update OpenSpec dependency requirements and scenarios to reflect OpenSSL 3.0.5+.
- Remove Docker image steps that downloaded/built OpenSSL 1.1.1v (and the related curl build/linking).
- Update CMake dependency version checks to require OpenSSL >= 3.0.5 (dropping the previous 1.1.1 max constraint) and remove Matter build-time PKG_CONFIG_PATH override.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| openspec/specs/build-system/spec.md | Updates documented dependency constraints and OpenSSL version-check scenarios for OpenSSL 3.0.5+. |
| openspec/config.yaml | Updates project “Key deps” summary to OpenSSL 3.x (>=3.0.5). |
| docker/Dockerfile | Removes custom OpenSSL 1.1.1v/curl build steps and related env wiring; relies on Ubuntu 24.04 system OpenSSL. |
| config/cmake/DependencyVersions.cmake | Bumps OpenSSL minimum version to 3.0.5 and removes max version constraint in dependency checks. |
| build-matter.sh | Removes forcing Matter builds to use the previously custom OpenSSL pkg-config path. |
NaeemKK
force-pushed
the
feature/upgrade-openssl
branch
from
c8da748 to
75ec159
Compare
Remove custom OpenSSL 1.1.1x wiring from build and container setup and use system OpenSSL with a minimum supported version of 3.0.5. Also, update OpenSpec dependency requirement and scenarios to match current behavior. refs: BARTON-363 Signed-off-by: Naeem Khan <naeem_khan@comcast.com>
NaeemKK
force-pushed
the
feature/upgrade-openssl
branch
from
75ec159 to
5c7c061
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates BartonCore’s build, container, and OpenSpec requirements to drop the custom OpenSSL 1.1.1x wiring and rely on system OpenSSL with a minimum supported version of 3.0.5, aligning the documented dependency constraints and build scenarios with the new baseline.
Changes:
- Update dependency policy/specs to require OpenSSL >= 3.0.5 and adjust OpenSSL version-check scenarios accordingly.
- Remove Docker image steps that built/used a custom OpenSSL 1.1.1v (and curl linked against it), reverting to system OpenSSL/curl packages.
- Remove CMake/script environment overrides that hard-coded
/usr/local/opensslfor RPATH/LD paths and Matter build wiring.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| openspec/specs/build-system/spec.md | Updates OpenSSL dependency constraint and version-check scenarios to OpenSSL 3.x (min 3.0.5). |
| openspec/config.yaml | Updates documented “Key deps” to reflect OpenSSL 3.x (>= 3.0.5). |
| docker/openssl.conf | Removes ld.so configuration for the previously custom OpenSSL install path. |
| docker/Dockerfile | Removes custom OpenSSL 1.1.1v and curl-from-source steps; relies on system packages. |
| core/CMakeLists.txt | Removes /usr/local/openssl RPATH and LD_LIBRARY_PATH override for GIR invocation. |
| config/cmake/DependencyVersions.cmake | Updates OpenSSL min version to 3.0.5 and removes the prior max-version constraint and PKG_CONFIG_PATH overrides. |
| build-matter.sh | Removes OpenSSL 1.1.1-specific PKG_CONFIG_PATH override during Matter builds. |
|
|
||
| # Download, build, and install libcurl, but link against OpenSSL 1.1.1v specifically | ||
| RUN cd /tmp && \ | ||
| wget https://curl.se/download/curl-7.82.0.tar.gz && \ | ||
| tar -xzvf curl-7.82.0.tar.gz && \ | ||
| cd curl-7.82.0 && \ | ||
| ./configure --with-ssl=/usr/local/openssl && \ | ||
| make && \ | ||
| make install && \ | ||
| rm -rf /tmp/curl-7.82.0.tar.gz /tmp/curl-7.82.0 | ||
|
|
||
|
|
rchowdcmcsa
left a comment
rchowdcmcsa
left a comment
There was a problem hiding this comment.
LGTM once the Copilot comment is resolved.
There was a problem hiding this comment.
changes to dockerfiles require a rev of the docker/version file (source of truth for docker image version tag).
Once a new docker version is merged to main, we have to push the image to the registry (we should generate CI for this at some point). The Dockerfile has some instructions for this at the top. If, for some reason, you don't have permission to let me know and I can push it.
kfundecmcsa
left a comment
kfundecmcsa
left a comment
There was a problem hiding this comment.
Requesting a small change to the commit message type: this would be build instead of chore. Docker‑related changes generally fall under build.
Remove custom OpenSSL 1.1.1x wiring from build and container setup and use system OpenSSL with a minimum supported version of 3.0.5. Also, update OpenSpec dependency requirement and scenarios to match current behavior.
refs: BARTON-363