Skip to content

fix(sqlx-cli): bump openssl minimum to 0.10.46#4172

Open
ricochet wants to merge 1 commit intolaunchbadge:mainfrom
ricochet:fix-ci
Open

fix(sqlx-cli): bump openssl minimum to 0.10.46#4172
ricochet wants to merge 1 commit intolaunchbadge:mainfrom
ricochet:fix-ci

Conversation

@ricochet
Copy link

@ricochet ricochet commented Feb 18, 2026

native-tls 0.2.12 calls Pkcs12::parse2() which was added in openssl 0.10.46, but declares its minimum as 0.10.29. The minimal-versions resolver picked openssl 0.10.38 (our previous lower bound), which lacks parse2.

Does your PR solve an issue?

No this is to fix failing CI on main.

See unrelated PR's with the same build failures:

Is this a breaking change?

No

native-tls 0.2.12 calls `Pkcs12::parse2()` which was added in
openssl 0.10.46, but declares its minimum as 0.10.29. The
minimal-versions resolver picked openssl 0.10.38 (our previous
lower bound), which lacks `parse2`.
@abonander
Copy link
Collaborator

We've been talking about switching this check to use direct-minimal-versions instead precisely to avoid breakages like this. Does that seem like a good idea?

I've also been thinking about just deleting the Cargo.lock so we always test with latest versions, since it can otherwise be misleading to have one checked-in for a library project. cargo install sqlx-cli doesn't even use it, though passing --locked would.

@ricochet
Copy link
Author

This failure is a bug in native-tls. The openssl bump in this PR is a workaround, and the real fix already landed in native-tls. So it's definitely not on sqlx for the breakage here. We could also bump to 2.18 of native-tls, but I opted for a conservative fix.

Direct minimal versions would still validate that the declared lower bounds are correct without inheriting third-party bugs so it would make sense to do that if it's been a recurring issue. I'd probably do that as a separate PR. I think that'd only be the following:

  check-minimal-versions:
    name: Check build using direct minimal versions
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4
      - name: Setup Rust
        run: |
          rustup show active-toolchain || rustup toolchain install
          rustup toolchain install nightly
      - run: cargo +nightly generate-lockfile -Z direct-minimal-versions
      - run: cargo build --all-features

@lephyrius
Copy link

Could we just release the rustls only version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments