Project

General

Profile

Bug #20000

Updated by jaruga (Jun Aruga) about 1 year ago

Ruby 3.3 (master branch) includes Ruby OpenSSL library (openssl gem) to fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. And I want to see the following 5 commits to fix the issues will be backported to Ruby 3.2, 3.1 and 3.0. 

 * Fix OpenSSL.fips_mode in OpenSSL 3 FIPS. 
   https://github.com/ruby/openssl/pull/608 
   https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0 

 * Fix OpenSSL::PKey.read in OpenSSL 3 FIPS. 
   The following 2 commits modify the `ossl_pkey_read_generic`. Maybe it's easy to combine and squash the 2 commits to 1 commit to backport. 
   * https://github.com/ruby/openssl/pull/615 
     https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380 
   * https://github.com/ruby/openssl/pull/669 
     https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd 

 * Enable tests in OpenSSL FIPS. 
   This commit is needed to run the tests properly in OpenSSL FIPS. 
   * https://github.com/ruby/openssl/pull/615 
     https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5 

 * ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters 
   https://github.com/ruby/openssl/pull/674 
   https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814 


 ## Ruby and included Ruby OpenSSL (ruby/openssl) version 

 Here is the bundled ruby/openssl version for each Ruby. You can check the version number in the `ext/openssl/lib/openssl/version.rb`. The only ruby/openssl version 3.2.0 includes the 5 commits above. 

 * Ruby 3.3 
   * master: 3.2.0 
 * Ruby 3.2: 
   * The brnach ruby_3_2: 3.1.0 
   * The latest patch version tag v3_2_2: 3.1.0 
 * Ruby 3.1: 
   * The branch ruby_3_1: 3.0.1 
   * The latest patch version tag v3_1_4: 3.0.1 
 * Ruby 3.0: 
   * The branch ruby_3_0: 2.2.2 
   * The latest patch version tag v3_0_6: 2.2.2 


 In my opinion, the 3 possible ways to backport are 

 1. Include ruby/openssl 3.2.0 in Ruby 3.2, 3.1 and 3.0. I think this is the easiest option. 
 2. If ruby/ruby only wants to use ruby/openssl only increasing patch version, we may need some work in ruby/openssl side to relase the ruby/openssl gem 3.1.z, 3.0.z and 2.2.z. I think this is the right option, and the hardest option.  
 3. Backport the 5 commits above in ruby/ruby directly. I am not sure if this is actually an option, when the upstream ruby/openssl stable branches `maint-3.2`, `maint-3.1` and `maint-3.0` don't apply the commits. 


 The reason why the oldest Ruby version to be backported is 3.0 is because the oldest Ruby version using OpenSSL 3 is 3.0 in CentOS 9 stream and RHEL 9 main branch, in our maintaining Linux distributions: Fedora, CentOS Stream and RHEL. 

 ## References of the patch files 

 As a reference, I would share our managing patches created from the 5 commits above in Fedora and CentOS 9 Stream. 

 * Fedora rawhide (f40) (rawhide branch): Based Ruby: 3.2.2: 
   https://src.fedoraproject.org/rpms/ruby/blob/8d5b538747717f36b6244bcdad38e41271fc7010/f/ruby.spec#_181 
   Patch12, 13, 14, and 15 are the patch files. 
 * CentOS 9 Stream, Ruby 3.1 stream (stream-ruby-3.1-rhel-9.4.0 branch): Based Ruby: 3.1.2 
   https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/59242d8ce8261a9759dfb2bd8db673e55061a28b/ruby.spec#L211 
   Patch30, 31, 32, and 33 are the patch files. 
 * CentOS 9 Stream, default (c9s branch): Based Ruby: 3.0.4. 3.04. 
   https://gitlab.com/redhat/centos-stream/rpms/ruby/-/blob/e0deda71a34ffef75c9f923e0e8d5ca2816fce17/ruby.spec#L279 
   Patch65, 66, 67, and 68 are the patch files. 

Back