Antalya 26.1: bump openssl to 3.5.6

[zvonand]

Changelog category (leave one):

• Build/Testing/Packaging Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Use openssl 3.5.6 (ClickHouse#102606 by @thevar1able)

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• S3 Export (2h)
• Swarms (30m)
• Tiered Storage (2h)

[github-actions]

Workflow [PR], commit [cde1e06]

[CarlosFelipeOR]

AI audit note: This review comment was generated by AI (claude-opus-4.7).

Audit update for PR #1650 (Antalya 26.1: bump openssl to 3.5.6)

Confirmed defects

No confirmed defects in reviewed scope.

Coverage summary

• Scope reviewed: contrib/openssl submodule bump (200f52f -> d0f95db), contrib/openssl-cmake/common/include/openssl/cmp.h, contrib/openssl-cmake/common/include/openssl/opensslv.h, and tests/integration/test_dictionaries_ddl/test.py.
• Categories failed: none.
• Categories passed: submodule pin matches OpenSSL 3.5.6 fork commit; opensslv.h version/date are consistent with 3.5.6; only real new public macros in carried generated headers are OSSL_CMP_PKISTATUS_rejected_by_client and OSSL_CMP_PKISTATUS_checking_response (both included); no header set expansion between 3.5.0 and 3.5.6; include-order behavior remains consistent for .h.in-derived headers; test assertion broadening remains valid for TLS/plaintext mismatch failure mode.
• Assumptions/limits: upstream OpenSSL internals and fork-specific sanitizer patches were not re-audited in full; this review focuses on PR-introduced integration and correctness impact in ClickHouse.

[CarlosFelipeOR]

QA Verification

1. PR scope and risk

This PR is a clean cherry-pick of upstream ClickHouse#102606 — Use openssl 3.5.6. The diff is identical to upstream (4 files, +18/-8).

2. CI analysis

All non-success checks reviewed and accounted for:

Check	Status	Resolution
RegressionTestsRelease / Swarms / swarms	FAIL	Known flaky test that the QA team is currently working on resolving — unrelated to OpenSSL.
RegressionTestsAarch64 / Swarms / swarms	FAIL	Same as above (Swarms suite).
Stateless tests (amd_binary, old analyzer, s3 storage, DatabaseReplicated, parallel)	FAIL	Single test 04034_parquet_v3_metadata_cache_no_query_context. Confirmed pre-existing flaky via DB query — fails in 27 unrelated upstream runs and 14 unrelated Altinity PRs over the last 90 days, in the same old analyzer + s3 storage + DatabaseReplicated mode combo. Same bump on antalya-26.3 (PR #1648) shows 0 failures. Not caused by this PR.
GrypeScanServer (-alpine) / GrypeScanKeeper	FAIL	Resolved separately by PR #1656 (libssl/libcrypto runtime image update).

3. Post-merge validation

The post-merge run on antalya-26.1 (run 24676257273) confirms:

• Grype scans pass after the 26.1 Antalya Update libssl and libcrypto #1656 merge.
• Full regression suite executed (the original PR run had only a subset of regression jobs enabled). All TLS-relevant suites passed, including the ones recommended for an OpenSSL bump: SSL Server, ClickHouse Keeper, LDAP, S3 / S3 Export, Iceberg, Parquet, Swarms, etc.

Conclusion

QA verification approved. The bump is a low-risk security maintenance change, the CI noise has been fully attributed to known flakies and a separate (already merged) image-layer fix, and the post-merge full regression run is green.

Adding verified label.