Antalya 26.3: bump openssl to 3.5.6

[zvonand]

Changelog category (leave one):

• Build/Testing/Packaging Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Use openssl 3.5.6 (ClickHouse#102606 by @thevar1able)

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• S3 Export (2h)
• Swarms (30m)
• Tiered Storage (2h)

[github-actions]

Workflow [PR], commit [5c5349e]

[CarlosFelipeOR]

QA Verification — ✅ Approved

PR #1651 (openssl 3.5.6 bump) is safe and did not introduce any regression.

This is a pure backport of an upstream patch (ClickHouse#102606) that has already been merged across all other active Altinity release branches (antalya-25.8, antalya-26.1, releases/25.3.14, releases/25.8.16) — see #1650, #1679, #1680, #1684. All failing tests in the MasterCI run 25120257717 and the PR-CI run 24862668036 are either pre-existing on antalya-26.3, not forward-ported features, or known flaky — none are caused by the openssl bump.

Summary

Category	Tests / Jobs	Status
Already fixed in upstream 26.3 (QA team)	disk_level_encryption, version, settings, session_timezone, aggregate_functions_{2,3}, tiered_storage_{s3amazon,minio,s3gcs}, s3_{azure_1,minio_1,aws_s3_1,gcs_1}	✅ Expected
Features not yet forward-ported to antalya-26.3	swarms, parquet, iceberg_{1,2}, s3_export_partition (s3_export_part was cancelled, not failed)	✅ Expected
Pre-existing 26.3+ failures (also fail on upstream 26.4)	/rbac/part 1/.../check supported timezones, /external user directory/.../empty server, /external user directory/.../missing server	✅ Not caused by PR
Known flaky (per #1694)	00084_external_aggregation	✅ Not caused by PR
Known flaky (Integration)	test_quorum_inserts_parallel::test_parallel_quorum_actually_parallel on amd_asan, targeted	✅ Not caused by PR
One-off ExpectTimeoutError (infra)	/rbac/part 3/.../check alter user add auth methods with two auth methods allowed	✅ Not caused by PR
Caused by this PR	0	🟢

Key evidence

Pre-existing 26.3+ failures — the 3 unknown tests above had zero passes on antalya-26.3 between 2026-04-13 and 2026-04-28 (every day before the PR was merged on 2026-04-29). They also fail ~100% on upstream 26.4.1.1141-alpine. On 25.x and 26.1.x they pass 100%. → A 26.3+ test/behavior issue, not openssl-related.

test_parallel_quorum_actually_parallel — the 9-fail / 1-OK pattern in Integration tests (amd_asan, targeted) is deterministic per job: the exact same pattern reproduced on PR #1741 (commits 5c3b95b on 2026-05-07 and 22f5d0f on 2026-05-12). Always [4-10] is the one that passes. The test passes on all other job configurations (arm_binary, db disk, amd_binary) on the same commit.

[CarlosFelipeOR]

AI audit note: This review comment was generated by AI (gpt-5.3-codex).

Audit update for PR #1651 (openssl 3.5.6 backport + TLS error-path test update):

Confirmed defects:

No confirmed defects in reviewed scope.

Coverage summary:

• Scope reviewed: contrib/openssl submodule pointer bump, contrib/openssl-cmake/common/include/openssl/cmp.h, contrib/openssl-cmake/common/include/openssl/opensslv.h, and tests/integration/test_dictionaries_ddl/test.py secure dictionary failure assertions.
• Categories failed: none.
• Categories passed: call-graph and transition coverage for all changed paths; logical fault categories checked (TLS handshake alert vs TCP reset, fail-closed behavior when secure transport is unset/disabled, header-version parity with bumped openssl); C++ bug-type categories are not applicable (no C++ code changed).
• Assumptions/limits: static audit only (no runtime execution in this pass); CI deep-report script could not be executed here because node is unavailable, so residual risk is mainly unobserved platform-specific error-string variants outside the two explicitly asserted messages.