Ruby Issue Tracking System

04/29/2026

12:25 PM Ruby Revision f1b2b6ba (git): [ruby/openssl] ssl: refactor SSLSocket#{peer_,}finished_message

The variable-sized alloca makes me nervous, even though it turned out
to be safe: the Finished message is 36 bytes long in SSL 3.0 and is
usually smaller in newer protocol versions. However, the alloca is not
actually needed since we can... rhenium (Kazuki Yamaguchi)

11:07 AM Ruby Revision 97e0add5 (git): [ruby/openssl] hmac: enable tests in the FIPS mode

Fix CI with OpenSSL master in the FIPS mode. With the fips provider in
OpenSSL master, HMAC keys shorter than 112 bits are rejected and MD5 is
disallowed. Update tests to use SHA-2 and longer keys.
https://github.com/ruby/openssl/commit... rhenium (Kazuki Yamaguchi)

04/14/2026

06:18 AM Ruby Revision 4f26d806 (git): [ruby/digest] Fix Digest::SHA1#update with large input

Digest::SHA1#update fails when a very large String is passed in a
single call.
Passing 2**29 bytes (512 MB) or more at once does not update the
message length counter correctly, which results in producing an
incorrect output.
$ rub... rhenium (Kazuki Yamaguchi)

04/08/2026

01:00 PM Ruby Revision 7209523f (git): [ruby/openssl] kdf: fix wrong OPENSSL_cleanse() calls

Embarrassingly, the previous commits introduced OPENSSL_cleanse() calls
against the temporary struct instead of the buffer content. Thanks to
nagachika for noticing.
https://github.com/ruby/openssl/commit/8eca3efad4 rhenium (Kazuki Yamaguchi)

11:08 AM Ruby Revision 5c7e3c20 (git): [ruby/openssl] kdf: release GVL in OpenSSL::KDF.pbkdf2_hmac

Since PBKDF2 runs single-threaded and is typically configured to take
several hundred milliseconds or longer, it is a perfect candidate to be
run without the GVL.
https://github.com/ruby/openssl/commit/2a24966414 rhenium (Kazuki Yamaguchi)

11:08 AM Ruby Revision a5c9e840 (git): [ruby/openssl] kdf: release GVL in OpenSSL::KDF.scrypt

scrypt is another password hashing algorithm, so releasing the GVL is
useful.
https://github.com/ruby/openssl/commit/dd2f6ba892 rhenium (Kazuki Yamaguchi)

03/31/2026

03:14 PM Ruby Revision de1d14c0 (git): [ruby/openssl] Add const qualifiers for OpenSSL 4.0 compatibility

OpenSSL's master branch is changing functions to return const pointers
where the returned objects are not meant to be modified by the caller.
Update ossl_*_new() to take const pointers accordingly. Unfortunately,
*_dup() in older versio... rhenium (Kazuki Yamaguchi)

03:14 PM Ruby Revision f17a0af9 (git): [ruby/openssl] pkey: remove unnecessary prototype from ossl_pkey.h

ossl_ec_new() was removed in commit https://github.com/ruby/openssl/commit/94aeab2f265d (pkey: simplify
ossl_pkey_new(), 2017-03-16), but it forgot to remove the declaration
while doing so.
https://github.com/ruby/openssl/commit/faad7a0811 rhenium (Kazuki Yamaguchi)

03:14 PM Ruby Revision b41b1430 (git): [ruby/openssl] asn1: use new ASN1_BIT_STRING accessor functions with OpenSSL 4.0

ASN1_STRING has been made opaque in OpenSSL's master branch. Use the
new accessor functions instead of accessing fields directly.
Other uses of ASN1_STRING fields were already updated in
<https://github.com/ruby/openssl/pull/978>. This ... rhenium (Kazuki Yamaguchi)

03:14 PM Ruby Revision 5973d619 (git): [ruby/openssl] ssl: fix test_tmp_dh and test_tmp_dh_callback with OpenSSL 4.0

OpenSSL master added support for RFC 7919 groups in TLS 1.2. They are
preferred over SSLContext#tmp_dh= or #tmp_dh_callback= values if the
client advertises them in the supported_groups extension.
https://github.com/ruby/openssl/commit/... rhenium (Kazuki Yamaguchi)