Project

General

Profile

Actions

Bug #21631

closed

Backport openssl gem bugfix releases

Bug #21631: Backport openssl gem bugfix releases

Added by Bo98 (Bo Anderson) 22 days ago. Updated 19 days ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:<unknown>]

Description

The openssl gem has made new patch releases for all supported release lines in order to fix a compatibility issue with OpenSSL 3.6.0 (along with other bug fixes such as one for a segfault). Without the compatibility fix, the openssl gem is largely broken for certificate verification with OpenSSL 3.6.0, which then affects other parts of Ruby like net-http.

Ruby 3.4 PR (3.3.0 -> 3.3.1): https://github.com/ruby/ruby/pull/14792
Ruby 3.3 PR (3.2.0 -> 3.2.2): https://github.com/ruby/ruby/pull/14793

I'm not entirely sure what to do for Ruby 3.2. We can update the gem from 3.1.0 to 3.1.2 but that's perhaps out-of-scope for Ruby 3.2 being in security maintenance mode. Would cherry-picking the single compatibility fix commit be acceptable? The issue has been widely noticed already: https://github.com/ruby/openssl/issues/949

Updated by hsbt (Hiroshi SHIBATA) 22 days ago Actions #1

  • Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED

Thanks for filing this.

Would cherry-picking the single compatibility fix commit be acceptable? The issue has been widely noticed already: https://github.com/ruby/openssl/issues/949

Agreed. gem install fails because of OpenSSL issue is a major problem with using Ruby. I also would like to backport only https://github.com/ruby/openssl/pull/950 for that issue to Ruby 3.2.

Updated by Bo98 (Bo Anderson) 22 days ago Actions #2

Thanks for taking a look!

Ruby 3.2 PR: https://github.com/ruby/ruby/pull/14797

Updated by rhenium (Kazuki Yamaguchi) 21 days ago Actions #3

  • Backport changed from 3.2: REQUIRED, 3.3: REQUIRED, 3.4: REQUIRED to 3.2: DONE, 3.3: REQUIRED, 3.4: REQUIRED
  • Status changed from Open to Closed

Thanks for taking care of this!

@hsbt (Hiroshi SHIBATA) has merged it into ruby_3_2 at c38243e2c4e874d67b63431f9489f47ddfecdefd

Updated by Bo98 (Bo Anderson) 21 days ago Actions #5

OpenSSL::X509::V_FLAG_CRL_CHECK can make sense on cert stores with OpenSSL::X509::Store#set_default_paths but only if you have also did OpenSSL::X509::Store#add_crl as there is no such thing as a default CRL file. Calling that on DEFAULT_CERT_STORE would be mutating a global undocumented constant which is indeed very deep into private API - and also would be relying on a bug. In the future we may be able to freeze the constant: https://github.com/ruby/openssl/pull/807

Anyhow, Ruby 3.4 can be marked as done in fce44db5eb7baf1ddd2238254c3cf617fcfd1112

Updated by nagachika (Tomoyuki Chikanaga) 19 days ago Actions #6

  • Backport changed from 3.2: DONE, 3.3: REQUIRED, 3.4: REQUIRED to 3.2: DONE, 3.3: DONE, 3.4: DONE

Merged into ruby_3_3 branch at ce7aa23f97273fa181be26aec33d3c6998e203c5. Thanks for your contributions!

Actions

Also available in: PDF Atom