Bug #20000
Updated by jaruga (Jun Aruga) 6 months ago
Ruby 3.3 (master branch) includes Ruby OpenSSL library (openssl gem) to fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. And I want to see the following 5 commits to fix the issues will be backported to Ruby 3.2, 3.1 and 3.0.
* Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
https://github.com/ruby/openssl/pull/608
https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0
* Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
The following 2 commits modify the `ossl_pkey_read_generic`. Maybe it's easy to combine and squash the 2 commits to 1 commit to backport.
* https://github.com/ruby/openssl/pull/615
https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380
* https://github.com/ruby/openssl/pull/669
https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd
* Enable tests in OpenSSL FIPS.
This commit is needed to run the tests properly in OpenSSL FIPS.
* https://github.com/ruby/openssl/pull/615
https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
* ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
https://github.com/ruby/openssl/pull/674
https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
## Ruby and included Ruby OpenSSL (ruby/openssl) version
Here is the bundled ruby/openssl version for each Ruby. You can check the version number in the `ext/openssl/lib/openssl/version.rb`. The only ruby/openssl version 3.2.0 includes the 5 commits above.
* Ruby 3.3
* master: 3.2.0
* Ruby 3.2:
* The brnach ruby_3_2: 3.1.0
* The latest patch version tag v3_2_2: 3.1.0
* Ruby 3.1:
* The branch ruby_3_1: 3.0.1
* The latest patch version tag v3_1_4: 3.0.1
* Ruby 3.0:
* The branch ruby_3_0: 2.2.2
* The latest patch version tag v3_0_6: 2.2.2
In my opinion, the 3 possible ways to backport are
1. Include ruby/openssl 3.2.0 in Ruby 3.2, 3.1 and 3.0. I think this is the easiest option.
2. If ruby/ruby only wants to use ruby/openssl only increasing patch version, we may need some work in ruby/openssl side to relase the ruby/openssl gem 3.1.z, 3.0.z and 2.2.z. I think this is the right option, and the hardest option.
3. Backport the 5 commits above in ruby/ruby directly. I am not sure if this is actually an option, when the upstream ruby/openssl stable branches `maint-3.2`, `maint-3.1` and `maint-3.0` don't apply the commits.
The reason why the oldest Ruby version to be backported is 3.0 is because the oldest Ruby version using OpenSSL 3 is 3.0 in CentOS 9 stream and RHEL 9 main branch, in our maintaining Linux distributions: Fedora, CentOS Stream and RHEL.
## References of the patch files
As a reference, I would share our managing patches created from the 5 commits above in Fedora and CentOS 9 Stream.
* Fedora rawhide (f40) (rawhide branch): (f40): Based Ruby: 3.2.2:
https://src.fedoraproject.org/rpms/ruby/blob/8d5b538747717f36b6244bcdad38e41271fc7010/f/ruby.spec#_181 https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/c9s/ruby.spec?ref_type=heads#L1
Patch12, 13, 14, and 15 are the patch files.
* CentOS 9 Stream, Ruby 3.1 stream (stream-ruby-3.1-rhel-9.4.0 branch): stream: Based Ruby: 3.1.2
https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/59242d8ce8261a9759dfb2bd8db673e55061a28b/ruby.spec#L211 https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/stream-ruby-3.1-rhel-9.4.0/ruby.spec?ref_type=heads#L1
Patch30, 31, 32, and 33 are the patch files.
* CentOS 9 Stream, default (c9s branch): default: Based Ruby: 3.04.
https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/e0deda71a34ffef75c9f923e0e8d5ca2816fce17/ruby.spec#L279 https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/c9s/ruby.spec?ref_type=heads#L279
Patch65, 66, 67, and 68 are the patch files.