Compability issue with OpenSSL 3.0

[richardboehme]

The current version of the gem does not seem to be compatible with OpenSSL 3.0. The problem seems to be that pkeys are immutable in OpenSSL 3.

Environment details

• OS: Ubuntu Jammy Jellyfish (development branch), running on WSL 2
• Ruby version: 3.1.1 (built against OpenSSL 3.0)
• Gem name and version: google-auth-library-ruby (main Branch)

Steps to reproduce

1. Make sure that ruby -e 'require "openssl"; p OpenSSL::::OPENSSL_VERSION' report version 3.0.0
2. Run the tests using toys do test
3. Errors that occur:

• OpenSSL::PKey::PKeyError: rsa#set_key= is incompatible with OpenSSL 3.0
• OpenSSL::PKey::PKeyError: pkeys are immutable on OpenSSL 3.0

[edmorley]

Ubuntu 22.04 LTS was released in April, which ships only with OpenSSL 3 and not OpenSSL 1.1.
A similar situation will no doubt be occurring soon for other distros too.

As such, could this be prioritised?

Many thanks :-)

[ariccio]

Yup, just hit this on upgrading my heroku buildpack to 22.

[Dreamersoul]

hey, would love to get an update for this issue. any timeline or fixes we can implement?

[lokst]

I would love to get an update on this too 🙂

[ariccio]

Yes, I can't even dev on macOS like this! Thankfully I'm mostly a windows guy.

[ariccio]

...does anybody have a workaround for local dev? How do I force the use of 1.1 on a new install of macOS?

[ariccio]

I wonder if I can patch this?
It looks like the fix is weird, but not impossible.

Here's other places where they've solved the problem:
net-ssh/net-ssh#854
net-ssh/net-ssh#857
net-ssh/net-ssh@98ccff9
net-ssh/net-ssh#875

nov/json-jwt#102

https://bugs.launchpad.net/ubuntu/+source/ruby-net-ssh/+bug/1964025/comments/9

Don't know if I have the time right now to dive into it, but lemme see.

[ariccio]

Oh, also, left a comment on the most relevant OpenSSL issue to link these together and to request docs/suggestions on patching this. See: ruby/openssl#369 (comment)

[ariccio]

Ok, sorry to triple post, but this does seem fixable with @nov's patch in nov/json-jwt#102. I'm too out of my depth to make the changes... I'm not a cryptographer, so I strongly hesitate to change anything that handles cryptography. That's the origin of many a bug and a timing attack :)

[dataf3l]

hi we also want to know when this will be fixed.
we can help by testing the solution if that helps at all

[NivedhaSenthil]

draft solution is available in the branch here https://github.com/googleapis/google-auth-library-ruby/tree/fix_openssl3_compatibility Please let us know of any issues @dataf3l

[ariccio]

Seems to work! Lets get some eyes on this PR!

[ariccio]

Looks like the patch is still waiting on the review! Glad to see that Google cares about code quality. It would be better if they assigned enough engineers to the job so that they wouldn't be so overworked 🤣😭

Is a shame they're talking about cutbacks and layoffs. Such a typical American corporation...

From two cow economics:

An American Corporation:
You have two cows. You sell one and force the other to produce the milk of four cows. Later, you hire a consultant to analyze why the cow has died.

(To be clear, I'm saying that the engineers are doing a good job, definitely not that it's their fault)

[dazuma]

We've completed additional testing on the patch and merged it. There's currently a release freeze in place due to Next which takes place next week. We'll release after the conference ends, around Oct 14.

[ariccio]

Yay! I wish there was an alpha release I could use for now, but totally am glad as is. Thanks for fixing.

[dazuma]

https://rubygems.org/gems/googleauth/versions/1.3.0