OpenSSL 1.1.1 config .include directive is not supported

[voxik]

Testing Ruby on Fedora Rawhide with openssl-1.1.1-0.pre8.2.fc29, I observe following test failure:

  1) Failure:
OpenSSL::TestConfig#test_constants [/builddir/build/BUILD/ruby-2.5.1/test/openssl/test_config.rb:32]:
Exception raised:
<#<OpenSSL::ConfigError: error in line 40: missing equal sign>>.

and this is the original Fedora issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1610921

Apparently, this is the cause:

... snip ...

[ crypto_policy ]

.include /etc/crypto-policies/back-ends/opensslcnf.config

... snip ...

The OpenSSL::Config class expects there "key = value", while the line 40 ".include" directive, which is newly documented in man 5 config.

The OpenSS::Config was intially introduced by ruby/ruby@879ab2c and it appears there were some issues on Windows. If the issues were resolved, the best approach would be revert back to use OpenSSL API. If the issues are not resolved yet, the OpenSSL::Config should probably add support for '.include' directive.

[rhenium]

I agree that we should use the OpenSSL API instead. I don't know about the issue on Windows, but I expect it is not the case anymore.

However, OpenSSL 1.1.0 removed the _CONF_*() functions that we need to implement OpenSSL::Config#add_value and #[]=. Maybe we can mark them as deprecated and remove after some period.

Anyway, as .include support should be backported to previous versions, I'll try to implement in Ruby for now.

[ioquatix]

We should revert to using the OpenSSL functions. I think it's outside the scope of this library to be editing config files.