Project

General

Profile

Actions

Bug #15219

closed

Backport: Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3

Added by jaruga (Jun Aruga) over 5 years ago. Updated about 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
[ruby-core:89340]

Description

I would be happy that the coming Ruby 2.5.2 would support OpenSSL 1.1.1 and TLS 1.3 [1].

To do that, it seems at least below patch has to be backported to Ruby 2.5.

net/http, net/ftp: fix session resumption with TLS 1.3
https://github.com/ruby/ruby/commit/1dfc377

And new ruby/openssl 2.2.2 has to be bundled in the Ruby 2.5.2.

Possible?
Thank you.

[1] OpenSSL 1.1.1 release note: https://www.openssl.org/blog/blog/2018/09/11/release111/

Actions #1

Updated by jaruga (Jun Aruga) over 5 years ago

  • Tracker changed from Bug to Feature
  • Backport deleted (2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN)

Updated by shevegen (Robert A. Heiler) over 5 years ago

This would be nice indeed. I have a small gem that collects information about the
host-system (on the target computer platform; usually linux) available, and notifies
when there are more recent versions of a software available, e. g. a new gcc release,
a new m4 release, a new bison release and so forth.

I am a bit wary of upgrading openssl from openssl-1.1.0i to openssl-1.1.1 mostly
because I am never absolutely sure how well a more recent openssl may work on ruby.
And the primary reason for me to use openssl (and have ruby support it, too) is so
that I can push new gem releases of my code, actually. This was also a major reason
why I used to open issues about both openssl and readline, and I think it was nobu
who then added the "+" commandline flag to configure, to allow compilation to proceed
only if all that has been wanted, been found too (as otherwise I may have to re-compile
ruby or at the least work on this in the ext/ subdirectory, such as for readline or
openssl or zlib).

So naturally, I think it would be nice if more recent openssl versions could be
supported on the ruby 2.5.x branch too, if this will retain backwards-compatible
behaviour.

Having said that, I think after x-mas, I will be using ruby 2.6.x so it would not
be of a massive benefit to me personally.

On a side note, if it were possible, it may be helpful to notify on the ruby-doc
website which versions of a particular software is supported.

Take:

https://ruby-doc.org/stdlib/libdoc/openssl/rdoc/OpenSSL.html

This page could list which version is compatible - or at the least has
been tested. I don't know of a good way to have this automatically for
all versions, but I think it may be useful for quite a few people. (Openssl,
zlib and Readline are usually what I need to have in the local ruby version,
since it is very convenient or necessary for other things.)

I think naruse is in charge of handling both 2.6.x and 2.5.x release so perhaps
he should be asked.

Actions #3

Updated by jaruga (Jun Aruga) over 5 years ago

  • Subject changed from Ruby 2.5.X supporting OpenSSL 1.1.1 and TLS 1.3 to Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3

Updated by jaruga (Jun Aruga) over 5 years ago

To do that, it seems at least below patch has to be backported to Ruby 2.5.

net/http, net/ftp: fix session resumption with TLS 1.3
https://github.com/ruby/ruby/commit/1dfc377

Maybe this patch too.
config: support .include directive
https://github.com/ruby/openssl/pull/216

And optionally this patch.
test: use larger keys for SSL tests
https://github.com/ruby/openssl/pull/217

Actions #5

Updated by jaruga (Jun Aruga) over 5 years ago

  • Subject changed from Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3 to Backport: Ruby 2.5.X to support OpenSSL 1.1.1 and TLS 1.3

Updated by naruse (Yui NARUSE) over 5 years ago

  • Tracker changed from Feature to Bug
  • Status changed from Open to Closed
  • Backport set to 2.4: DONTNEED, 2.5: UNKNOWN

Close to be on tracking on backport process.

Actions #7

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

  • Backport changed from 2.4: DONTNEED, 2.5: UNKNOWN to 2.4: DONTNEED, 2.5: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

Maybe this patch too.
config: support .include directive
https://github.com/ruby/openssl/pull/216

And optionally this patch.
test: use larger keys for SSL tests
https://github.com/ruby/openssl/pull/217

Hmm, these two pull requests are not merged yet in ruby/openssl and neither committed into ruby trunk.
We can backport them only after they are committed into trunk according to our stable branch management policy.

@rhenium (Kazuki Yamaguchi) Could you handle these pull requests?

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

  • Backport changed from 2.4: DONTNEED, 2.5: REQUIRED to 2.4: DONTNEED, 2.5: DONE

ruby_2_5 r67237 merged revision(s) 64234,64252.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0