Feature #20960
Updated by sachiang (Samuel Chiang) 1 day ago
Hello, I’m an engineer at AWS working on [AWS-LC](https://github.com/aws/aws-lc), AWS’s open-source cryptographic library maintained for AWS and their customers. AWS-LC supports CPU-specific performance optimizations for AWS Graviton 2, [AWS Graviton 3](https://github.com/aws/aws-lc/commit/ae87faf735c0241a115542b1c1022d125564bf55), and [Intel x86-64 with AVX-512 instructions](https://github.com/aws/aws-lc/commit/e22cf5065761bec8882c66cea94a9320bc8c0334). We’ve formally verified [a subset of](https://github.com/awslabs/aws-lc-verification#verified-code) AWS-LC’s cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC can be also built in [FIPS mode](https://aws.amazon.com/blogs/security/aws-lc-fips-3-0-first-cryptographic-library-to-include-ml-kem-in-fips-140-3-validation/) FIPS mode to help consumers meet FIPS 140-3 compliance requirements. To give Ruby users a well-documented and supported way to take advantage of these investments, we would like to upstream build compatibility for AWS-LC into Ruby. We believe that this would provide the best experience for users wishing to build Ruby against AWS-LC. It would also allow users to circumvent maintaining and applying their own patch sets to build Ruby with AWS-LC. Earlier this year, we[engaged with the CPython maintainers](https://discuss.python.org/t/support-building-ssl-and-hashlib-modules-against-aws-lc/44505) to successfully address similar needs for our respective users. We are working on patch sets to integrate Ruby‘s OpenSSL module with AWS-LC. AWS-LC is committed to backwards compatibility and we aim to keep our API stable. Our open source repository has CI jobs ([here](https://github.com/aws/aws-lc/tree/main/tests/ci/integration) and [here](https://github.com/aws/aws-lc/blob/main/.github/workflows/integrations.yml)) asserting every change’s compatibility with multiple different open-source projects. We’ve [recently added Ruby 3.1 and 3.2](https://github.com/aws/aws-lc/commit/57133c00c71f9a6790c7c9d9a63ab883a7e607cf) to this test suite and we’re in the midst of incorporating Ruby’s main branch and 3.3. These tests are used to catch compatibility regressions against every change before they’re merged and to resolve potential build issues beforehand when upstream projects make relevant changes. Relevant unit tests from the upstream projects’ are also ran to confirm that the underlying `libcrypto` & `libssl` behave as expected. By expanding our regular testing processes to include Ruby, we proactively prevent any unanticipated breaks in the Ruby/AWS-LC build. The proposed integration supports all features of Ruby’s OpenSSL module, except for the use of DHE cipher suites in `libssl`. Excluding this, we have confirmed that all relevant unit tests for Ruby’s OpenSSL module perform as expected. If you folks agree that this integration would be beneficial for Ruby and its consumers, I’d be more than happy to put together a PR.