bf-cbc isn't a supported cipher in Ruby 3.2 #17
Conversation
|
@ahoward Any chance of review this? Note this has less to do with ruby version than it has to do with OpenSSL 3 marking bf-cbc cipher as deprecated. |
There was a problem hiding this comment.
@UnderpantsGnome I think this approach will be problematic as there is no easy way to update (or downgrade) ruby with it.
It looks like old ciphers are still available in modern openssl but they are just disabled with default provider. legacy provider still has them.
openssl 3.2+ added support for providers in ruby/openssl#635
So just adding gem "openssl", "~> 3.2.0" and calling something like:
if defined?(OpenSSL::Provider)
OpenSSL::Provider.load("legacy")
endbefore loading sekrets does the trick.
It also looks like in previous openssl gem versions you can achieve the same with OPENSSL_CONF env variable but I have not explored that path.
|
@bak1an That's a good tip for people coming to this, I have my doubts about this making it to I'm not sure I see the Ruby version change (upgrade/downgrade) issue, 3.0 is already EOL as it is. If you change your cipher you will need to re-encrypt things, but that shouldn't be happening very often. 🙂 |
|
It's really a shame that this won't make it to main, as we still use this gem for ruby (non-rails) applications to do encryption |
Unfortunately there are still pre ruby 3.0 apps out there. And you can also build ruby 3.0+ with openssl 1.1 and it will work. So it is not even ruby version issue but your system's openssl version issue: I could also imagine a situation of gradual upgrade when part of the servers in the pool already have new ruby & openssl and other part don't. Having different ciphers for your sekrets file in such case would be slightly hard to manage (imagine someone also trying to modify secrets while this rollout going on |
)
@arianf Solution with loading in your openssl config to make it work without any code modifications. You can either directly modify system's But overall, BF-CBC does not seem good to be used in 2024. Even in 2017 it was not good #6 So unless there are maintainers in this repo perhaps a fork is required to properly migrate to modern ciphers. |
|
Even if this doesn't get merged to |
This is helpful 👍 |
|
FYI - only @ahoward has privileges to release a new version of the gem - I'll ping him and see if I can get privileges and go from there. |
Thanks Jeremey! Long time no talk 🙂 |
|
tracking this @UnderpantsGnome and @copiousfreetime -- happy to give perms to whomever but would like to peek just a little to review code and consider some route to entirely eliminate openssl moving fwd ... albatros ! ;-/. thoughts and prayers welcome. |
|
It would definitely be good to have some kind of script for changing/upgrading ciphers built in moving forward, that would make updating pretty painless. |
|
@ahoward let me know if you want me to look into simplifying cipher changes. |
|
@UnderpantsGnome i am peeking at now and, yes ;-) |
|
|
What if openssl is kept (it comes with ruby anyway) but cipher is configurable (with some good modern defaults as suggested in #6 )? Instructions or helper command for re encrypting secrets into different cipher would also be good. |
|
@UnderpantsGnome my concern - and i'd forgotten - is that, in addition to the cipher needing to tweak for ruby versions i think the key would also need to magically double in size? that is to say, the key would need to grow from 16 to 32 and and a re-crypt would need to happen - yes? i really want to roll something out but want to make sure i grok the issue and that the fix would work in the wild as it's difficult to test with certainty. also, we could catch up on phone as it's been a while if faster ... |
|
have a look at master will ya @arianf, @bak1an , @copiousfreetime , and @UnderpantsGnome .... if you like i'll push the 1.14.0 gem today |
|
Looks good @ahoward ! Thanks! |
|
@ahoward while this does silence the error when using an old cipher, it doesn't provide a way to move to a better cipher. Any newer projects of mine are using |
|
@UnderpantsGnome Moving to a new cipher sounds like a separate thing and a bigger release since it will break compatibility for existing projects. Making it just work on servers with modern openssl is a good start I would say. |
totally want to do this next and love your feedback. two thoughts on this:
|
|
I could see something like # .sekrets.yml (.sekrets.yaml)
---
key: this is a secret
cipher: my super fancy (supported) cipher, or the default if not presentI'm not sure if For CI I could see something like SEKRETS_KEY="this is a secret"
SEKRETS_CIPHER="my super fancy (supported) cipher, or the default if not present"I use 1P for my ssh keys, I haven't gone down the path of trying to use it in CI, too many less painful ways to deal with it. 🙂 |
|
ok everyone, i'll push the 1.14 now.. lmk if that's working for you and i'm going to extract some stuff out of this pr for the 2.0 release and will close soon. thanks a ton! |
|
@ahoward Thanks! You can ping me if you need some review or testing for 2.0 whenever it is around. |
|
closing as this code has made it into 1.14 gem |
No description provided.