Ability to build both SSL variants

Signed-off-by: Jonh Wendell <[email protected]>

Author: jwendell

.bazelrc

@@ -599,4 +599,6 @@ try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc
 
-import %workspace%/openssl/bazelrc
+# OpenSSL-specific configuration (use with --config=openssl)
+# To use the default BoringSSL backend, simply don't specify this config
+try-import %workspace%/openssl/openssl.bazelrc

.github/workflows/envoy-openssl.yml

@@ -22,10 +22,33 @@ jobs:
       ${{ github.repository == 'envoyproxy/envoy-openssl' }}
     steps:
     - name: Free disk space
-      uses: envoyproxy/toolshed/gh-actions/[email protected].23
+      uses: envoyproxy/toolshed/gh-actions/[email protected].28
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     - run: |
         ./ci/run_envoy_docker.sh './ci/do_ci.sh gcc //test/...'
+      env:
+        BAZEL_BUILD_EXTRA_OPTIONS: >-
+          --config=remote-envoy-engflow
+          --config=bes-envoy-engflow
+          --config=remote-ci
+          --config=openssl
+        ENVOY_RBE: 1
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  boringssl:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 180
+    permissions:
+      contents: read
+      packages: read
+    if: >-
+      ${{ github.repository == 'envoyproxy/envoy-openssl' }}
+    steps:
+    - name: Free disk space
+      uses: envoyproxy/toolshed/gh-actions/[email protected]
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - run: |
+        ./ci/run_envoy_docker.sh './ci/do_ci.sh dev //test/...'
       env:
         BAZEL_BUILD_EXTRA_OPTIONS: >-
           --config=remote-envoy-engflow

SSL_BACKEND_SELECTION.md

@@ -0,0 +1,140 @@
+# SSL Backend Selection Support
+
+This document describes how to build Envoy with either BoringSSL (upstream default) or OpenSSL (via bssl-compat).
+
+## Overview
+
+The build system now supports selecting between two SSL backends:
+- **BoringSSL** (default) - The upstream SSL library used by Envoy
+- **OpenSSL** (via bssl-compat) - OpenSSL 3.0.x with a BoringSSL compatibility layer
+
+## Usage
+
+### Building with BoringSSL (Default)
+
+Simply build as normal without any special flags:
+
+```bash
+bazel build //source/exe:envoy-static
+```
+
+### Building with OpenSSL
+
+Use the `--config=openssl` flag (recommended):
+
+```bash
+bazel build --config=openssl //source/exe:envoy-static
+```
+
+This automatically:
+- Sets `--define=ssl=openssl` to select the OpenSSL backend
+- Adds `-DENVOY_SSL_OPENSSL` compiler flag
+- Disables QUIC/HTTP3 support
+- Restricts tests to IPv4 only
+
+Alternatively, you can use just the define flag (not recommended as it doesn't apply other OpenSSL-specific settings):
+
+```bash
+bazel build --define=ssl=openssl //source/exe:envoy-static
+```
+
+## Implementation Details
+
+### Build System Changes
+
+1. **Config Settings** (`bazel/BUILD`):
+   - Added `ssl_openssl` config_setting for `--define=ssl=openssl`
+   - Added `ssl_boringssl` config_setting for `--define=ssl=boringssl`
+
+2. **Aliases** (`bazel/BUILD`):
+   - `//bazel:boringssl` now conditionally points to either `@boringssl//:ssl` or `@bssl-compat//:ssl`
+   - `//bazel:boringcrypto` now conditionally points to either `@boringssl//:crypto` or `@bssl-compat//:crypto`
+
+3. **Dependencies** (`bazel/repositories.bzl`):
+   - Both BoringSSL and OpenSSL (via bssl-compat) are loaded
+   - Selection happens at build time via the aliases
+
+4. **Helper Function** (`bazel/envoy_select.bzl`):
+   - Added `envoy_select_ssl()` for conditional compilation based on SSL backend
+   - Example: `envoy_select_ssl(if_openssl = [...], if_boringssl = [...])`
+
+5. **Preprocessor Defines**:
+   - When `ssl=openssl` is set, `-DENVOY_SSL_OPENSSL` is added to compilation flags
+   - This allows source code to conditionally compile OpenSSL-specific code
+
+### Source Code Changes
+
+OpenSSL-specific code is wrapped with `#ifdef ENVOY_SSL_OPENSSL`:
+
+1. **SSL Socket** (`source/common/tls/ssl_socket.cc`):
+   - EAGAIN handling in `SSL_ERROR_SSL` cases
+
+2. **Context Implementation** (`source/common/tls/context_impl.cc`):
+   - Disabled `SSL_CTX_set_reverify_on_resume()` (not in bssl-compat)
+   - Disabled `SSL_was_key_usage_invalid()` (not in bssl-compat)
+
+3. **BIO Handling** (`source/common/tls/io_handle_bio.cc`):
+   - Added `io_handle_new()` and `io_handle_free()` for OpenSSL
+   - Added BIO control commands for OpenSSL
+
+4. **Version Reporting** (`source/common/version/BUILD`):
+   - Reports "OpenSSL" or "BoringSSL" based on build configuration
+
+### Configuration Files
+
+The `openssl/bazelrc` file automatically:
+- Sets `--define=ssl=openssl`
+- Adds `-DENVOY_SSL_OPENSSL` compiler flag
+- Disables QUIC/HTTP3 support
+- Restricts tests to IPv4 only
+
+## Test Considerations
+
+Some tests have different expectations for OpenSSL vs BoringSSL:
+- TLS fingerprints may differ
+- Cipher suite ordering may differ
+- Alert codes may differ
+
+Tests should use `#ifdef ENVOY_SSL_OPENSSL` to adjust expectations accordingly.
+
+## Migration Guide
+
+### For Users
+
+- To use BoringSSL: No changes needed (default behavior)
+- To use OpenSSL: Add `--define=ssl=openssl` to your build commands
+
+### For Developers
+
+When adding SSL-related code:
+
+1. **If the code works with both backends**: No special handling needed
+
+2. **If the code is OpenSSL-specific**: Wrap it with:
+   ```cpp
+   #ifdef ENVOY_SSL_OPENSSL
+   // OpenSSL-specific code here
+   #endif
+   ```
+
+3. **If the code is BoringSSL-specific**: Wrap it with:
+   ```cpp
+   #ifndef ENVOY_SSL_OPENSSL
+   // BoringSSL-specific code here
+   #endif
+   ```
+
+4. **For conditional build dependencies**: Use `envoy_select_ssl()` in BUILD files:
+   ```python
+   deps = [...] + envoy_select_ssl(
+       if_openssl = ["//openssl/specific:dep"],
+       if_boringssl = ["//boringssl/specific:dep"],
+   )
+   ```
+
+## Limitations
+
+When building with OpenSSL:
+- QUIC/HTTP3 support is disabled (OpenSSL doesn't provide QUIC implementation)
+- Some BoringSSL-specific APIs are not available
+- Test coverage may differ from BoringSSL builds

bazel/BUILD

@@ -497,6 +497,16 @@ config_setting(
     values = {"define": "boringssl=disabled"},
 )
 
+config_setting(
+    name = "ssl_openssl",
+    values = {"define": "ssl=openssl"},
+)
+
+config_setting(
+    name = "ssl_boringssl",
+    values = {"define": "ssl=boringssl"},
+)
+
 selects.config_setting_group(
     name = "boringssl_fips_x86",
     match_all = [
@@ -559,15 +569,21 @@ config_setting(
     values = {"define": "uhv=enabled"},
 )
 
-# Alias pointing to the selected version of BoringSSL:
+# Alias pointing to the selected SSL implementation (BoringSSL or OpenSSL via bssl-compat):
 alias(
     name = "boringssl",
-    actual = "@envoy//bssl-compat:ssl"
+    actual = select({
+        ":ssl_openssl": "@bssl-compat//:ssl",
+        "//conditions:default": "@boringssl//:ssl",
+    }),
 )
 
 alias(
     name = "boringcrypto",
-    actual = "@envoy//bssl-compat:crypto"
+    actual = select({
+        ":ssl_openssl": "@bssl-compat//:crypto",
+        "//conditions:default": "@boringssl//:crypto",
+    }),
 )
 
 config_setting(

bazel/envoy_build_system.bzl

@@ -45,6 +45,7 @@ load(
     _envoy_select_hot_restart = "envoy_select_hot_restart",
     _envoy_select_nghttp2 = "envoy_select_nghttp2",
     _envoy_select_signal_trace = "envoy_select_signal_trace",
+    _envoy_select_ssl = "envoy_select_ssl",
     _envoy_select_static_extension_registration = "envoy_select_static_extension_registration",
     _envoy_select_wasm_cpp_tests = "envoy_select_wasm_cpp_tests",
     _envoy_select_wasm_rust_tests = "envoy_select_wasm_rust_tests",
@@ -256,6 +257,7 @@ envoy_select_hot_restart = _envoy_select_hot_restart
 envoy_select_nghttp2 = _envoy_select_nghttp2
 envoy_select_enable_http_datagrams = _envoy_select_enable_http_datagrams
 envoy_select_signal_trace = _envoy_select_signal_trace
+envoy_select_ssl = _envoy_select_ssl
 envoy_select_wasm_cpp_tests = _envoy_select_wasm_cpp_tests
 envoy_select_wasm_rust_tests = _envoy_select_wasm_rust_tests
 envoy_select_wasm_v8 = _envoy_select_wasm_v8

bazel/envoy_select.bzl

@@ -20,6 +20,13 @@ def envoy_select_boringssl(if_fips, default = None, if_disabled = None):
         "//conditions:default": default or [],
     })
 
+# Selects the given values based on the SSL backend (BoringSSL or OpenSSL).
+def envoy_select_ssl(if_openssl, if_boringssl = None, repository = ""):
+    return select({
+        repository + "//bazel:ssl_openssl": if_openssl,
+        "//conditions:default": if_boringssl or [],
+    })
+
 # Selects the given values if Google gRPC is enabled in the current build.
 def envoy_select_google_grpc(xs, repository = ""):
     return select({

bazel/repositories.bzl

@@ -136,16 +136,20 @@ def envoy_dependencies(skip_targets = []):
     # Setup external Bazel rules
     _foreign_cc_dependencies()
 
+    # Load both SSL backends - the actual one used is selected via --define=ssl=<boringssl|openssl>
+    _boringssl()
+    _boringssl_fips()
     _openssl()
 
-    # Binding to an alias pointing to the bssl-compat layer
+    # Binding to an alias that selects between BoringSSL and OpenSSL via bssl-compat
+    # The selection is made in //bazel:boringssl and //bazel:boringcrypto aliases
     native.bind(
         name = "ssl",
-        actual = "@envoy//bssl-compat:ssl",
+        actual = "@envoy//bazel:boringssl",
     )
     native.bind(
         name = "crypto",
-        actual = "@envoy//bssl-compat:crypto",
+        actual = "@envoy//bazel:boringcrypto",
     )
 
     # The long repo names (`com_github_fmtlib_fmt` instead of `fmtlib`) are

bssl-compat/WORKSPACE

@@ -0,0 +1 @@
+workspace(name = "bssl_compat")

openssl/bazelrc

@@ -0,0 +1,34 @@
+# This file is sourced from %workspace%/.bazelrc, and includes additional
+# configuration specific to building envoy on openssl/bssl-compat
+# Use with: bazel build --config=openssl ...
+
+#build:openssl:clang --linkopt=-latomic
+
+# Select OpenSSL as the SSL backend instead of BoringSSL
+common:openssl --define=ssl=openssl
+
+# Define ENVOY_SSL_OPENSSL for preprocessor conditionals in source code
+build:openssl --copt=-DENVOY_SSL_OPENSSL
+build:openssl --host_copt=-DENVOY_SSL_OPENSSL
+
+test:openssl --test_env=ENVOY_IP_TEST_VERSIONS=v4only
+
+# As of today we do not support QUIC/HTTP3, hence we exclude it from the build, always.
+# Unfortunately, just setting //bazel:http3=False, is not enough to achieve this.
+# Instead, we also have to use boringssl=fips define and filter on the nofips tag.
+# This is based on the fact that the FIPS version of BoringSSL doesn't provide enough
+# of the functions required to build the QUIC implementation provided by Quiche i.e. if
+# we say that we are using the FIPS version of BoringSSL, then all the QUIC support is
+# excluded from the build.
+common:openssl --//bazel:http3=False
+common:openssl --define=boringssl=fips
+build:openssl --build_tag_filters=-nofips
+test:openssl --test_tag_filters=-nofips
+
+# Arch-specific build flags for OpenSSL builds, triggered with --config=$ARCH in bazel build command
+build:openssl:s390x --//source/extensions/filters/common/lua:luajit2=1 --copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --host_copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --action_env=BAZEL_LINKLIBS=-lstdc++
+build:openssl:ppc --//source/extensions/filters/common/lua:luajit2=1 --copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --host_copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --action_env=BAZEL_LINKLIBS=-lstdc++
+
+# LLVM paths for bssl-compat prefixer tool (only needed for OpenSSL builds)
+common:openssl --action_env=Clang_DIR=/opt/llvm
+common:openssl --action_env=LLVM_DIR=/opt/llvm