-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oqs-epiphany not working / maintainer sought #266
Comments
Local build of oqs-epiphany is not correctly working. Neither is the latest (0.9.2) image at docker hub. This requires a serious review of the changes in the underlying code base, most likely |
Came here to make this ticket, but see that it's already reported 👍 ... Just as an extra data point, the only openquantumsafe/epiphany image that I'm able to get any successful handling of PQC certificates with is 0.7.2 (this is hitting sites with Dilithium & Falcon certs hosted by the latest openquantumsafe/nginx image). 0.8.0 and onwards all fail with any PQC certs for every algorithm:
|
Yup - I'm painfully aware of this. When looking into this, I got stymied by a crash of the docker image on my machine and have not found the time to look into this more deeply. If you'd be able to do some "digging", I'd be really grateful, @isaleh-sb . In general, running the command |
I don't know much about build systems but I did figure out the following:
doesn't work, yet
does. I don't know enough about build configurations to know the difference, but maybe this is useful to you. |
I've got it! The openssl version that is installed before liboqs is installed needs to be 3.2 or higher. 3.1 or lower (the default ubuntu libssl-dev is 3.0.3 I believe) doesn't work. To illustrate, this doesn't work:
yet the same script with branch openssl-3.2 does. In a similar vein, moving the openssl install after the oqs provider install breaks it as well, so this seems to imply it's the version of openssl that is used to install the oqs-provider that matters. So by swapping my oqs install commands to the ones shown above (+ some other config), I managed to get my dockerfile to handle signatures correctly. Maybe it would be smart to use the fullbuild script in the oqs-epiphany demo to circumvent this |
Thanks for letting us know!
Sounds like a good suggestion. Would you feel like contributing a PR to facilitate that? |
I'd love to, but I can't actually run the default image so I can't test it ^^ The only linux machines I have are on VMs and those dont like the display streaming through docker that this uses |
Oh and this change did manage to make openssl work on my branch, but epiphany still didnt do the signatures properly for some reason |
Now I'm confused: Didn't you say before signatures work OK with 3.2:
The latter is (for openssl) entirely expected: See https://github.com/open-quantum-safe/oqs-provider?tab=readme-ov-file#note-on-openssl-versions (some provider-sig-enabling PRs didn't get backported to older OpenSSL versions). |
yeah, so openssl did the signatures correctly, but epiphany did not. This could be because my fix was bad, as I am not an expert on the networking epiphany uses. I'll see if I can get a dockerfile that shows this. |
yeah I think I might be putting the provider in the wrong place or something. This is my code where openssl works fine but the epiphany doesn't.
with this, |
#298 will be marking epiphany as deprecated, but I believe we should leave this issue open to allow new contributors to potentially "un-deprecate" epiphany and update it to working order |
Also, the epiphany (browser) image in your composition properly operates
openssl
andoqsprovider
when logging in to it viadocker exec
, e.g."Just" when putting the two things together, i.e., using the known-good local
openssl
code against the known-goodoqs-httpd
, things fail:oqs-epiphany
then not working is a logical consequence. But the issue is somewhere else. Will need to debug into this...Originally posted by @baentsch in #265 (comment)
The text was updated successfully, but these errors were encountered: