Project

General

Profile

Bug #15219

Backport: Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3

Added by jaruga (Jun Aruga) almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
[ruby-core:89340]

Description

I would be happy that the coming Ruby 2.5.2 would support OpenSSL 1.1.1 and TLS 1.3 [1].

To do that, it seems at least below patch has to be backported to Ruby 2.5.

net/http, net/ftp: fix session resumption with TLS 1.3
https://github.com/ruby/ruby/commit/1dfc377

And new ruby/openssl 2.2.2 has to be bundled in the Ruby 2.5.2.

Possible?
Thank you.

[1] OpenSSL 1.1.1 release note: https://www.openssl.org/blog/blog/2018/09/11/release111/

#1

Updated by jaruga (Jun Aruga) almost 2 years ago

  • Backport deleted (2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN)
  • Tracker changed from Bug to Feature

Updated by shevegen (Robert A. Heiler) almost 2 years ago

This would be nice indeed. I have a small gem that collects information about the
host-system (on the target computer platform; usually linux) available, and notifies
when there are more recent versions of a software available, e. g. a new gcc release,
a new m4 release, a new bison release and so forth.

I am a bit wary of upgrading openssl from openssl-1.1.0i to openssl-1.1.1 mostly
because I am never absolutely sure how well a more recent openssl may work on ruby.
And the primary reason for me to use openssl (and have ruby support it, too) is so
that I can push new gem releases of my code, actually. This was also a major reason
why I used to open issues about both openssl and readline, and I think it was nobu
who then added the "+" commandline flag to configure, to allow compilation to proceed
only if all that has been wanted, been found too (as otherwise I may have to re-compile
ruby or at the least work on this in the ext/ subdirectory, such as for readline or
openssl or zlib).

So naturally, I think it would be nice if more recent openssl versions could be
supported on the ruby 2.5.x branch too, if this will retain backwards-compatible
behaviour.

Having said that, I think after x-mas, I will be using ruby 2.6.x so it would not
be of a massive benefit to me personally.

On a side note, if it were possible, it may be helpful to notify on the ruby-doc
website which versions of a particular software is supported.

Take:

https://ruby-doc.org/stdlib/libdoc/openssl/rdoc/OpenSSL.html

This page could list which version is compatible - or at the least has
been tested. I don't know of a good way to have this automatically for
all versions, but I think it may be useful for quite a few people. (Openssl,
zlib and Readline are usually what I need to have in the local ruby version,
since it is very convenient or necessary for other things.)

I think naruse is in charge of handling both 2.6.x and 2.5.x release so perhaps
he should be asked.

#3

Updated by jaruga (Jun Aruga) almost 2 years ago

  • Subject changed from Ruby 2.5.X supporting OpenSSL 1.1.1 and TLS 1.3 to Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3

Updated by jaruga (Jun Aruga) almost 2 years ago

To do that, it seems at least below patch has to be backported to Ruby 2.5.

net/http, net/ftp: fix session resumption with TLS 1.3
https://github.com/ruby/ruby/commit/1dfc377

Maybe this patch too.
config: support .include directive
https://github.com/ruby/openssl/pull/216

And optionally this patch.
test: use larger keys for SSL tests
https://github.com/ruby/openssl/pull/217

#5

Updated by jaruga (Jun Aruga) almost 2 years ago

  • Subject changed from Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3 to Backport: Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3

Updated by naruse (Yui NARUSE) almost 2 years ago

  • Backport set to 2.4: DONTNEED, 2.5: UNKNOWN
  • Status changed from Open to Closed
  • Tracker changed from Feature to Bug

Close to be on tracking on backport process.

#7

Updated by nagachika (Tomoyuki Chikanaga) over 1 year ago

  • Backport changed from 2.4: DONTNEED, 2.5: UNKNOWN to 2.4: DONTNEED, 2.5: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) over 1 year ago

Maybe this patch too.
config: support .include directive
https://github.com/ruby/openssl/pull/216

And optionally this patch.
test: use larger keys for SSL tests
https://github.com/ruby/openssl/pull/217

Hmm, these two pull requests are not merged yet in ruby/openssl and neither committed into ruby trunk.
We can backport them only after they are committed into trunk according to our stable branch management policy.

rhenium (Kazuki Yamaguchi) Could you handle these pull requests?

Updated by nagachika (Tomoyuki Chikanaga) over 1 year ago

  • Backport changed from 2.4: DONTNEED, 2.5: REQUIRED to 2.4: DONTNEED, 2.5: DONE

ruby_2_5 r67237 merged revision(s) 64234,64252.

Also available in: Atom PDF