Bug #12830
closed
OpenSSL 1.1.0+ support?
Description
What is the plan with OpenSSL 1.1.0+ support? I am asking, since per this announcement 1, the OpenSSL 1.1.0 landed today in Fedora Rawhide and Ruby CI immediately failed 2, 3. I see that there is some upstream work on OpenSSL support 4, but I am wondering how this will be handled for stable Ruby releases?
Updated by hsbt (Hiroshi SHIBATA) over 7 years ago
- Status changed from Open to Assigned
- Assignee set to rhenium (Kazuki Yamaguchi)
Updated by rhenium (Kazuki Yamaguchi) over 7 years ago
The upstream of ext/openssl (and the current Ruby trunk) supports OpenSSL 1.1.0 (#12324), but at the same time it dropped support for OpenSSL < 0.9.8. Since adding support for OpenSSL 1.1.0 was a non-trivial work due to the low compatibility, it will be a hard work to backport
Personally I think not backporting is not a problem, because the compatibility issue is not only for Ruby and thus I imagine most distributions will provide a compat package for OpenSSL 1.0.x for a while.
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Description updated (diff)
Updated by vo.x (Vit Ondruch) over 7 years ago
Let me quote one paragraph:
We do not want to keep 1.0.2 devel around as that could make it to look like the 1.0.2 is still fully "supported" in Fedora and there would be no incentive to switch to 1.1.0.
That basically means whatever is in Fedora already by now, should be installable, but you won't be able to build any package which is not compatible with OpenSSL 1.1.0. That means that only Ruby 2.4+ would be buildable on Fedora 26. That should be OK from Fedora distribution POV, since we try to make sure that the packages in distribution are compatible with Ruby version we ship, but I expect our users would like to install also older versions of Ruby.
Of course there are voices 1 that the -devel package should also be available for compat version of OpenSSL, but this is probably open question yet ...
Updated by vo.x (Vit Ondruch) over 7 years ago
Ok, so now we have openssl-1.1.0b-3.fc26 as well as compat-openssl10-1.0.2j-5.fc26 (including -devel subpackage) on Fedora Rawhide, so it should be possible to build older Ruby, but unfortunately, some other libraries fail, since they loads both versions of OpenSSL into memory. For example rubygem Typhoeus fails to pass its test suite (see 1 or build.log from 2 if the first link does not work anymore). Is there any chance to make openssl.so to load correctly versioned libssl.so?
Updated by vo.x (Vit Ondruch) over 7 years ago
According to Fedora OpenSSL maintainer, there seems to be conflict in X509_STORE_set_ex_data symbol. The symbols which are from latest OpenSSL should not be defined locally with the same name (unless they are static).
Updated by rhenium (Kazuki Yamaguchi) over 7 years ago
Yes, X509_STORE_{get,set}_ex_data() are implemented in ext/openssl/openssl_missing.c. In this specific case, applying r55074 that converted them into macros should fix (backport ticket: [Bug #12868]).
Updated by vo.x (Vit Ondruch) over 7 years ago
Thx for investigation. I can confirm that r55074 make the Typhoeus (and Ethon) to pass its test suite.
Updated by naruse (Yui NARUSE) over 7 years ago
This looks resolved.
Updated by vo.x (Vit Ondruch) over 7 years ago
- Status changed from Assigned to Closed
Yes, I don't expect any further action.