Bug #12830
closed
Added by vo.x (Vit Ondruch) over 7 years ago.
Updated over 7 years ago.
Description
What is the plan with OpenSSL 1.1.0+ support? I am asking, since per this announcement 1, the OpenSSL 1.1.0 landed today in Fedora Rawhide and Ruby CI immediately failed 2, 3. I see that there is some upstream work on OpenSSL support 4, but I am wondering how this will be handled for stable Ruby releases?
- Status changed from Open to Assigned
- Assignee set to rhenium (Kazuki Yamaguchi)
The upstream of ext/openssl (and the current Ruby trunk) supports OpenSSL 1.1.0 (#12324), but at the same time it dropped support for OpenSSL < 0.9.8. Since adding support for OpenSSL 1.1.0 was a non-trivial work due to the low compatibility, it will be a hard work to backport
Personally I think not backporting is not a problem, because the compatibility issue is not only for Ruby and thus I imagine most distributions will provide a compat package for OpenSSL 1.0.x for a while.
- Description updated (diff)
Let me quote one paragraph:
We do not want to keep 1.0.2 devel around as that could make it to look like the 1.0.2 is still fully "supported" in Fedora and there would be no incentive to switch to 1.1.0.
That basically means whatever is in Fedora already by now, should be installable, but you won't be able to build any package which is not compatible with OpenSSL 1.1.0. That means that only Ruby 2.4+ would be buildable on Fedora 26. That should be OK from Fedora distribution POV, since we try to make sure that the packages in distribution are compatible with Ruby version we ship, but I expect our users would like to install also older versions of Ruby.
Of course there are voices 1 that the -devel package should also be available for compat version of OpenSSL, but this is probably open question yet ...
Ok, so now we have openssl-1.1.0b-3.fc26 as well as compat-openssl10-1.0.2j-5.fc26 (including -devel subpackage) on Fedora Rawhide, so it should be possible to build older Ruby, but unfortunately, some other libraries fail, since they loads both versions of OpenSSL into memory. For example rubygem Typhoeus fails to pass its test suite (see 1 or build.log from 2 if the first link does not work anymore). Is there any chance to make openssl.so to load correctly versioned libssl.so?
According to Fedora OpenSSL maintainer, there seems to be conflict in X509_STORE_set_ex_data symbol. The symbols which are from latest OpenSSL should not be defined locally with the same name (unless they are static).
Yes, X509_STORE_{get,set}_ex_data() are implemented in ext/openssl/openssl_missing.c. In this specific case, applying r55074 that converted them into macros should fix (backport ticket: [Bug #12868]).
Thx for investigation. I can confirm that r55074 make the Typhoeus (and Ethon) to pass its test suite.
- Status changed from Assigned to Closed
Yes, I don't expect any further action.
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0
Updated by 
Updated by 
Updated by 
Updated by 
Updated by