Bug #105535 MySQL Router SSL compilation errors on Windows
Submitted: 11 Nov 2021 16:22 Modified: 9 Dec 2021 21:03
Reporter: Aaron Steigerwald Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Compiling Severity:S3 (Non-critical)
Version:8.0.27 OS:Microsoft Windows (10.0.18363.1556)
Assigned to: CPU Architecture:x86
Tags: compile, router, SSL

[11 Nov 2021 16:22] Aaron Steigerwald
Description:
Compiling MySQL 8.0.27 on Windows fails during MySQL Router SSL compilation with some of the following warnings and errors:

  Building Custom Rule C:/mysql-8.0.27/router/src/openssl/src/CMakeLists.txt
  openssl_plugin.cc
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(103,1): warning C4005: 'AF_IPX': macro redefinition [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winsock.h(457): message : see previous definition of 'AF_IPX' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(144,1): warning C4005: 'AF_MAX': macro redefinition [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winsock.h(476): message : see previous definition of 'AF_MAX' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(187,1): warning C4005: 'SO_DONTLINGER': macro redefinition [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winsock.h(399): message : see previous definition of 'SO_DONTLINGER' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(240,25): error C2011: 'sockaddr': 'struct' type redefinition [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\um\winsock.h(482): message : see declaration of 'sockaddr' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(442,5): error C2143: syntax error: missing '}' before 'constant' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(442,5): error C2059: syntax error: 'constant' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(496,1): error C2143: syntax error: missing ';' before '}' [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(496,10): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\shared\ws2def.h(496,20): error C4430: missing type specifier - int assumed. Note: C++ does not support default-int [C:\mysql-8.0.27\build\router\src\openssl\src\router_openssl.vcxproj]
...

How to repeat:
FIPS-enabled OpenSSL was compiled and installed in C:\usr\local\ssl on the same build system as MySQL 8.0.27 using the following archives:

openssl-fips-2.0.16-nosymlinks.tar.gz
openssl-1.0.2u-rearchived.tar.gz

The following cmake commands and arguments were used to compile MySQL 8.0.27:

cmake .. -G "Visual Studio 16 2019" -DDOWNLOAD_BOOST=1 -DWITH_BOOST=C:\ -DWITH_SSL=C:\usr\local\ssl -DWITH_UNIT_TESTS=OFF -DINSTALL_MYSQLTESTDIR= -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_ROUTER=OFF

cmake --build . --config relwithdebinfo --target package

Note that the above has been used to compile several previous versions of MySQL including 8.0.26.

Suggested fix:
Compiling without the MySQL Router using the -DWITH_ROUTER=OFF option allows the build to complete successfully without errors:

cmake .. -G "Visual Studio 16 2019" -DDOWNLOAD_BOOST=1 -DWITH_BOOST=C:\ -DWITH_SSL=C:\usr\local\ssl -DWITH_UNIT_TESTS=OFF -DINSTALL_MYSQLTESTDIR= -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_ROUTER=OFF -DWITH_ROUTER=OFF

cmake --build . --config relwithdebinfo --target package
[12 Nov 2021 13:50] MySQL Verification Team
Hi Mr. Steigerwald,

Thank you for your bug report.

However, when it comes to SSL libraries, please read Release Notes for the release 8.0.27, which claim loud and clear:

"
For platforms on which OpenSSL libraries are bundled, the linked OpenSSL library for MySQL Server has been updated to version 1.1.1l. Issues fixed in the new OpenSSL version are described at https://www.openssl.org/news/cl111.txt and and http://www.openssl.org/news/vulnerabilities.html. (Bug #33273138, Bug #33309871)
"

Hence, SSL libraries that you would like to use are not compatible, nor usable, with latest 8.0 releases. As far as we remember, MySQL has never supported FIPS libraries for SSL.

Unsupported.
[15 Nov 2021 18:02] Aaron Steigerwald
Hello,

I read the release notes entry you cited. I believe it means "For platforms on which OpenSSL libraries are bundled with the MySQL distribution" when it says "For platforms on which OpenSSL libraries are bundled". I successfully compiled and ran MySQL 8.0.27 on Windows with the OpenSSL 1.0.2u libraries, which is in accordance with the latest MySQL documentation:

Ensure that OpenSSL 1.0.1 or higher is installed on your system. If the installed OpenSSL version is lower than 1.0.1, CMake produces an error at MySQL configuration time. If it is necessary to obtain OpenSSL, visit http://www.openssl.org.

found here:

https://dev.mysql.com/doc/refman/8.0/en/source-ssl-library-configuration.html

Furthermore, the latest MySQL documentation includes an entire section on FIPS mode:

MySQL supports FIPS mode, if compiled using OpenSSL 1.0.2, and an OpenSSL library and FIPS Object Module are available at runtime.

found here:

https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html

The following is the command and output I ran against the Windows MySQL 8.0.27 database I compiled (without the MySQL Router) using FIPS-capable OpenSSL 1.0.2u:

show variables where variable_name in ('version', 'have_openssl', 'have_ssl', 'ssl_fips_mode');
+---------------+--------+
| Variable_name | Value  |
+---------------+--------+
| version       | 8.0.27 |
| have_openssl  | YES    |
| have_ssl      | YES    |
| ssl_fips_mode | ON     |
+---------------+--------+

Please change this bugs status from "unsupported" to a more appropriate state. Or should I resubmit this bug?

Thank you,
Aaron
[17 Nov 2021 13:02] MySQL Verification Team
Hi Mr. Steigerwald,

This implies that our documentation needs an update.

If that is not sufficient, then this report will be extended to the build system as well.

Verified as a documentation request.
[17 Nov 2021 14:54] Aaron Steigerwald
Hello,

I do not believe this is a documentation issue. The only documentation update I would suggest is the 8.0.27 release note discussing bundled OpenSSL version 1.1.1l libraries previously cited. It might confuse the average reader if it confused the MySQL Bug Verification Team.

My original bug submission still stands. The MySQL Router build, which is part of the complete MySQL build, fails on Windows during the MySQL Router’s “C:/mysql-8.0.27/router/src/openssl/src/CMakeLists.txt” build step. The complete MySQL build succeeds on Windows and is fully functional, including all SSL operations, if the MySQL Router build is disabled using the “-DWITH_ROUTER=OFF” argument when generating the build scripts using cmake.

Thank you,
Aaron
[17 Nov 2021 14:56] Aaron Steigerwald
Hello again,

I changed the Category from "Documentation" to "Compiling".

Thank you,
Aaron
[9 Dec 2021 21:03] Philip Olson
Posted by developer:
 
Fixed as of the upcoming MySQL Router 8.0.28 release, and here's the proposed changelog entry from the documentation team:

On Windows, removed the openssl/*.h includes to allow tls_context.h to
include them in the correct order. This allows Router to build on Windows
with OpenSSL 1.0.x.

Thank you for the bug report.