Project

General

Profile

Actions

Bug #20000

closed

Backport: Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.

Added by jaruga (Jun Aruga) about 1 year ago. Updated about 1 year ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:115339]

Description

Ruby 3.3 (master branch) includes Ruby OpenSSL library (openssl gem) to fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. And I want to see the following 5 commits to fix the issues will be backported to Ruby 3.2, 3.1 and 3.0.

Ruby and included Ruby OpenSSL (ruby/openssl) version

Here is the bundled ruby/openssl version for each Ruby. You can check the version number in the ext/openssl/lib/openssl/version.rb. The only ruby/openssl version 3.2.0 includes the 5 commits above.

  • Ruby 3.3
    • master: 3.2.0
  • Ruby 3.2:
    • The brnach ruby_3_2: 3.1.0
    • The latest patch version tag v3_2_2: 3.1.0
  • Ruby 3.1:
    • The branch ruby_3_1: 3.0.1
    • The latest patch version tag v3_1_4: 3.0.1
  • Ruby 3.0:
    • The branch ruby_3_0: 2.2.2
    • The latest patch version tag v3_0_6: 2.2.2

In my opinion, the 3 possible ways to backport are

  1. Include ruby/openssl 3.2.0 in Ruby 3.2, 3.1 and 3.0. I think this is the easiest option.
  2. If ruby/ruby only wants to use ruby/openssl only increasing patch version, we may need some work in ruby/openssl side to relase the ruby/openssl gem 3.1.z, 3.0.z and 2.2.z. I think this is the right option, and the hardest option.
  3. Backport the 5 commits above in ruby/ruby directly. I am not sure if this is actually an option, when the upstream ruby/openssl stable branches maint-3.2, maint-3.1 and maint-3.0 don't apply the commits.

The reason why the oldest Ruby version to be backported is 3.0 is because the oldest Ruby version using OpenSSL 3 is 3.0 in CentOS 9 stream and RHEL 9 main branch, in our maintaining Linux distributions: Fedora, CentOS Stream and RHEL.

References of the patch files

As a reference, I would share our managing patches created from the 5 commits above in Fedora and CentOS 9 Stream.

Actions #1

Updated by jaruga (Jun Aruga) about 1 year ago

  • Description updated (diff)
Actions #2

Updated by jaruga (Jun Aruga) about 1 year ago

  • Description updated (diff)
Actions #3

Updated by jaruga (Jun Aruga) about 1 year ago

  • Description updated (diff)
Actions

Also available in: Atom PDF

Like1
Like0Like0Like0