https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112016-06-29T10:14:06ZRuby Issue Tracking SystemRuby master - Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flawhttps://bugs.ruby-lang.org/issues/12532?journal_id=594112016-06-29T10:14:06Zmartin_vahi (Martin Vahi)martin.vahi@softf1.com
<ul></ul><p>Actually, build scripts might try to<br>
use the operating system version of the OpenSSL<br>
and if they fail to use the operating system<br>
version, then they should use the embedded<br>
OpenSSL source as a backup option.</p> Ruby master - Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flawhttps://bugs.ruby-lang.org/issues/12532?journal_id=594122016-06-29T10:23:17Zdarix (Marcus Rückert)darix@opensu.se
<ul></ul><p>you don't want to ship an intree copy of openssl.</p>
<p>the proper solution is that people should use their package manager and <em>understand</em> how to use them.</p>
<p>maybe we should make ruby's build hard fail when linking openssl fails.</p> Ruby master - Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flawhttps://bugs.ruby-lang.org/issues/12532?journal_id=594152016-06-29T13:13:09Zrhenium (Kazuki Yamaguchi)k@rhe.jp
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Rejected</i></li></ul><p>Martin Vahi wrote:</p>
<blockquote>
<p>The result is that people do</p>
<p><a href="http://stackoverflow.com/a/25186429" class="external">http://stackoverflow.com/a/25186429</a></p>
<pre><code>gem source -r https://rubygems.org/
gem source -a http://rubygems.org/
</code></pre>
<p>leading to simplified man-in-the-middle attacks.<br>
Gems have build/installation scripts and the rest<br>
is, if not history, then the future.</p>
</blockquote>
<pre><code>$ gem install <something>
Error: while executing gem (Gem::Exception)
Unable to require openssl. install openSSL and rebuilt ruby (preferred) or use non HTTPs sources
</code></pre>
<p>The error message clearly says that rebuilding Ruby with ext/openssl is preferred. It is the responsibility of the user not to follow that.</p>
<blockquote>
<p>I state that an out-dated OpenSSL in the Ruby<br>
installation is far better than no OpenSSL at all.<br>
Therefore it is beneficial to embed a copy of<br>
the OpenSSL to the Ruby source, so that it<br>
gets built and is robustly available regardless<br>
of the operating system peculiarities.</p>
</blockquote>
<p>I don't think so. A broken OpenSSL doesn't improve security at all. Since OpenSSL (or LibreSSL) is usually already installed on the system, the real problem is that the user is not passing a correct --with-openssl-dir to the configure script, or the user just forgets to install the header files.</p>