Bug #20000
closedBackport: Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
Description
Ruby 3.3 (master branch) includes Ruby OpenSSL library (openssl gem) to fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. And I want to see the following 5 commits to fix the issues will be backported to Ruby 3.2, 3.1 and 3.0.
-
Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
https://github.com/ruby/openssl/pull/608
https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0 -
Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
The following 2 commits modify theossl_pkey_read_generic
. Maybe it's easy to combine and squash the 2 commits to 1 commit to backport. -
Enable tests in OpenSSL FIPS.
This commit is needed to run the tests properly in OpenSSL FIPS. -
ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
https://github.com/ruby/openssl/pull/674
https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
Ruby and included Ruby OpenSSL (ruby/openssl) version¶
Here is the bundled ruby/openssl version for each Ruby. You can check the version number in the ext/openssl/lib/openssl/version.rb
. The only ruby/openssl version 3.2.0 includes the 5 commits above.
- Ruby 3.3
- master: 3.2.0
- Ruby 3.2:
- The brnach ruby_3_2: 3.1.0
- The latest patch version tag v3_2_2: 3.1.0
- Ruby 3.1:
- The branch ruby_3_1: 3.0.1
- The latest patch version tag v3_1_4: 3.0.1
- Ruby 3.0:
- The branch ruby_3_0: 2.2.2
- The latest patch version tag v3_0_6: 2.2.2
In my opinion, the 3 possible ways to backport are
- Include ruby/openssl 3.2.0 in Ruby 3.2, 3.1 and 3.0. I think this is the easiest option.
- If ruby/ruby only wants to use ruby/openssl only increasing patch version, we may need some work in ruby/openssl side to relase the ruby/openssl gem 3.1.z, 3.0.z and 2.2.z. I think this is the right option, and the hardest option.
- Backport the 5 commits above in ruby/ruby directly. I am not sure if this is actually an option, when the upstream ruby/openssl stable branches
maint-3.2
,maint-3.1
andmaint-3.0
don't apply the commits.
The reason why the oldest Ruby version to be backported is 3.0 is because the oldest Ruby version using OpenSSL 3 is 3.0 in CentOS 9 stream and RHEL 9 main branch, in our maintaining Linux distributions: Fedora, CentOS Stream and RHEL.
References of the patch files¶
As a reference, I would share our managing patches created from the 5 commits above in Fedora and CentOS 9 Stream.
- Fedora rawhide (f40) (rawhide branch): Based Ruby: 3.2.2:
https://src.fedoraproject.org/rpms/ruby/blob/8d5b538747717f36b6244bcdad38e41271fc7010/f/ruby.spec#_181
Patch12, 13, 14, and 15 are the patch files. - CentOS 9 Stream, Ruby 3.1 stream (stream-ruby-3.1-rhel-9.4.0 branch): Based Ruby: 3.1.2
https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/59242d8ce8261a9759dfb2bd8db673e55061a28b/ruby.spec#L211
Patch30, 31, 32, and 33 are the patch files. - CentOS 9 Stream, default (c9s branch): Based Ruby: 3.0.4.
https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/e0deda71a34ffef75c9f923e0e8d5ca2816fce17/ruby.spec#L279
Patch65, 66, 67, and 68 are the patch files.