Build OpenSSL so Ruby 2.0 installs Just Work on Mountain Lion #273
Conversation
|
Ready to roll!
|
|
/cc @sstephenson @sferik 😁 |
|
👍 from me me. I pulled down your branch and successfully installed Ruby 2.0.0-rc1 on my Mac running OS X 10.8 (Mountain Lion) and OpenSSL 0.9.8r. One question: should there be that extra new line after "Installed openssl…"? |
|
The newline is due to nesting a package install. The nested openssl install emits a trailing newline: https://github.com/sstephenson/ruby-build/blob/master/bin/ruby-build#L116 |
|
As a quick sanity check, if Verifying that we're using a bundled openssl config dir as well: 2.0.0-dev ~ ruby -ropenssl -e 'puts OpenSSL::Config::DEFAULT_CONFIG_FILE'
/usr/local/etc/openssl/openssl.cnf
2.0.0-dev ~ rbenv shell 2.0.0-rc1
2.0.0-rc1 ~ ruby -ropenssl -e 'puts OpenSSL::Config::DEFAULT_CONFIG_FILE'
/Users/jeremy/.rbenv/versions/2.0.0-rc1/openssl/ssl/openssl.cnf |
|
This looks good Jeremy. The only thing that gives me pause is pulling root certs from curl.haxx.se. On one hand, we're freed from the responsibility of bundling a fresh set of certificates ourselves. On the other hand, we're blindly installing root certificates that change relatively frequently (http://curl.haxx.se/ca/cacert.pem says Dec 29 2012) without verifying their checksum. What do you think about reading the system's certificates from Keychain instead? |
|
Looks like we can get a pem-formatted dump of the system root certificates with this command: We can see the CA labels by running the same command without |
|
Also, I think it's fine for us to scope this to OS X only—every other system comes with a package manager capable of installing OpenSSL and a trusted set of root certificates. Let's not take on more than we have to. |
| # Check for Mountain Lion's broken OpenSSL build. | ||
| if [[ $(type sw_vers) ]] && | ||
| [[ "$(sw_vers -productVersion)" = 10.8.* ]] && | ||
| [[ "$(openssl version)" = "OpenSSL 0.9.8r 8 Feb 2011" ]] |
There was a problem hiding this comment.
Lion's OpenSSL displays the exact same version string:
$ sw_vers -productVersion
10.7.3
$ openssl version
OpenSSL 0.9.8r 8 Feb 2011
This is probably an issue on all versions of OS X, yeah?
There was a problem hiding this comment.
Probably. I'm not sure how far back it goes. I think it'd be fine to always bundle OpenSSL on Mac if the builtin's what's available. Might be nice to check for brew --prefix openssl too—quicker install for many folks who've already have OpenSSL, but don't have it in their $PATH.
We're not doing any work to support non-osx platforms. They're supported as a side effect. What would we remove in order to narrow the scope? Missing |
|
Agreed re. dumping system certs. Forgot we'd investigated that! |
It'd let us remove the external certificate dependency—we only know how to pull system certs on OS X. I think it'd be enough to check for presence of if type sw_vers >/dev/null && [ "$(openssl -version)" = "OpenSSL 0.9.8r 8 Feb 2011" ]; then |
|
Ah, yes indeed. Dig it. |
|
Man, the slowest part of install feels like capi & rdoc/ri generation. Gotta shut that off. #156. |
|
@sstephenson Limited to OS X and added a check for Homebrew. |
|
Killed the Homebrew support. Scope creep with dubious aesthetics. |
Apple ships a patched, incompatible OpenSSL. We build a compatible OpenSSL from source.
|
Awesome, thanks @jeremy. |
| OPENSSLDIR="${OPENSSLDIR:-$OPENSSL_PREFIX_PATH/ssl}" | ||
|
|
||
| # Tell Ruby to use this openssl for its extension. | ||
| RUBY_CONFIGURE_OPTS="--with-openssl-dir=$OPENSSL_PREFIX_PATH $RUBY_CONFIGURE_OPTS" |
There was a problem hiding this comment.
Can't nest quoting here, so we're leaving OPENSSL_PREFIX_PATH unquoted. No good. @sstephenson suggested switching to a config opts array + little api to add opts.
Ditto for $OPENSSLDIR below.
|
It would be nice if we could get this merged before we ship a release that includes 2.0.0-rc2 (this may be the last RC), so people can test it out before 2.0.0 final ships on February 24. |
|
Working on it today. Latest is in https://github.com/sstephenson/ruby-build/compare/static-openssl-for-ruby-2.0-on-mountain-lion |
|
🤘 Awesome work! |
…es some people are having, pending understanding why static linking isn't working.
|
Just ran into this issue this afternoon while running @jeremy Just asking because I noticed your "Kill Homebrew support" comment... |
|
@mjijackson I had some support for automatically using the Homebrew openssl package, if available, but felt it was premature. It's unrelated to whether you installed rbenv using Homebrew or not. |
|
@jeremy here is a similar encounter for me on mountain lion with 2.0.0-p195 where it blames an openssl issue. is there a work-around? |
|
@jbayer I am on 10.8.4 using Homebrew. I was getting the same error as you posted in your gist when trying to install2.0.0-p195 . I was successful in installing 2.0.0-p195 after forcing the link for openssl: "brew link openssl --force" |
|
@wpdavenport confirmed that the "brew link openssl --force" option worked for me with 2.0.0-p195 on OSX 10.8.4. thanks for the help! |
|
@wpdavenport I can also confirm that |
|
Instead of force linking OpenSSL (which could lead to issues elsewhere), you might just want to use the |
|
I followed the original work-around instructions and all of the tips that people and posted and these too but I'm still getting the same issue. :/ |
|
@BethAnderson did you brew install openssl and tried the very helpful env var trick mentioned by @alloy? If you --force linked you can always unlink again. |
|
I did those both, yes. Just tried: export CC=clang ...and it built, then I changed the symlink in /usr/bin/ruby. |
|
@BethAnderson for me it just worked with those two steps (install openssl, configure flag pointing to brewed openssl) I didn't change the default compiler or anything. I'm on OSX 10.8.4 with rbenv / rbenv installer. Sorry. :( |
|
@musha68k Not sure why it didn't work and why it did work when I tried that. Just need to get bundler to pick up the correct Ruby version now though. |
|
@BethAnderson using rbenv just put 2.0.0-p195 in project/.ruby-version and bundler should take over from there. |
|
@musha68k Awesome, thanks! :) 👍 |
|
This is also a problem on Lion. I have just installed rbenv and ruby-build, and when I install Ruby 2.0.0-p247 with rbenv, I am seeing the problems with Apple's OpenSSL ("Ignore OpenSSL broken by Apple"), and ruby-build is not using its own OpenSSL. Why is this fix for Mountain Lion only? |
|
This worked: Would be nice if ruby-build and rbenv would do the right thing in Lion without the env var. |
Ruby 2.0 won't compile the OpenSSL extension on Mountain Lion because Apple shipped a crippled OpenSSL distribution. The fix is to build your own OpenSSL and link to that instead:
That's a lot of hassle for what will soon be a very common case. We can fix it by bundling a working OpenSSL.
TODO:
--openssldirto$PREFIX/openssl/sslc_rehashcerts so openssl sees the new cacert.pem