-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OpenSSL 3.0 #369
Comments
Updated TODO list as of alpha14:
|
This is awesome, thanks for your hard work @rhenium! |
This comment has been minimized.
This comment has been minimized.
It seems to be still in preparation at the moment. - ruby/openssl#369 ``` $ brew info openssl@1.1 openssl@1.1: stable 1.1.1l (bottled) [keg-only] Cryptography and SSL/TLS Toolkit https://openssl.org/ /usr/local/Cellar/openssl@1.1/1.1.1l_1 (8,073 files, 18.5MB) Poured from bottle on 2021-10-09 at 17:50:03 From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@1.1.rb License: OpenSSL ==> Dependencies Required: ca-certificates ✔ ==> Caveats A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in /usr/local/etc/openssl@1.1/certs and run /usr/local/opt/openssl@1.1/bin/c_rehash openssl@1.1 is keg-only, which means it was not symlinked into /usr/local, because macOS provides LibreSSL. If you need to have openssl@1.1 first in your PATH, run: echo 'export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"' >> ~/.zshrc For compilers to find openssl@1.1 you may need to set: export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib" export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include" For pkg-config to find openssl@1.1 you may need to set: export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig" ==> Analytics install: 1,034,525 (30 days), 2,791,466 (90 days), 9,665,014 (365 days) install-on-request: 40,532 (30 days), 166,402 (90 days), 971,361 (365 days) build-error: 0 (30 days) ```
…as 1.x and 3.x, 3.x does not work) ruby/openssl#369
…as 1.x and 3.x, 3.x does not work) ruby/openssl#369
…as 1.x and 3.x, 3.x does not work) ruby/openssl#369
Current OpenSSL 3.0.x release has a regression with zero-length MAC keys. While this issue should be fixed in a future release of OpenSSL, we can use EVP_PKEY_new_raw_private_key() in place of the problematic EVP_PKEY_new_mac_key() to avoid the issue. OpenSSL 3.0's man page recommends using it regardless: > EVP_PKEY_new_mac_key() works in the same way as > EVP_PKEY_new_raw_private_key(). New applications should use > EVP_PKEY_new_raw_private_key() instead. Fixes ruby/openssl#369 (comment) ruby/openssl@4293f18b1f
…e exporting i2d_PUBKEY_bio() against an EC_KEY without the public key component trggers a null dereference. This is a regression introduced by commit ruby/openssl@56f0d34d63fb ("pkey: refactor #export/#to_pem and #to_der", 2017-06-14). Fixes ruby/openssl#527 (comment) Fixes ruby/openssl#369 (comment) ruby/openssl@f6ee0fa4de
Not sure if it's a known issue, but require 'openssl'
ec_key = OpenSSL::PKey::EC.generate('prime256v1')
cipher = OpenSSL::Cipher.new('aes-128-cbc-hmac-sha256')
ec_key.export(cipher, 'key_password') leads to
on Fedora-37 (openssl-3.0.5) and openssl gem from master (1ddbf28) |
@ojab , shouldn't you be using an EC algorithm when using an EC key? |
@akostadinov Nope, require 'openssl'
data = "Very, very confidential data"
cipher = OpenSSL::Cipher.new('aes-128-cbc-hmac-sha256')
cipher.encrypt
key = cipher.random_key
iv = cipher.random_iv
encrypted = cipher.update(data)
encrypted += cipher.final
p encrypted which also fails with |
But that's a good point, because require 'openssl'
ec_key = OpenSSL::PKey::EC.generate('prime256v1')
cipher = OpenSSL::Cipher.new('aes-256-gcm')
pem = ec_key.export(cipher, 'key_password')
p OpenSSL::PKey.read(pem, 'key_password') fails with
Maybe it's covered by unchecked points above, but dunno. EDIT: okay, gcm is hard and I can't get it working even with openssl-1. |
Do you have any suggestions to update the Ruby I can replace https://github.com/pushpad/web-push/blob/master/lib/web_push/vapid_key.rb The gem has good test coverage and is already updated to use the openssl gem v3, but tests pass only on with the C library v1.1 (and not with C library v3). Any suggestions? |
This is the only workaround that we have found: Which is quite complex compared to the straightforward assignment that you could do with OpenSSL 1.1. Is there a simpler alternative to create an OpenSSL::PKey::EC from existing keys (in base64) in OpenSSL 3? |
Would it make sense to replace these methods with a new method like |
#555 is working on it, which provides access to
|
As this is related to supporting OpenSSL 3, I just put the issue tickets and PR to support FIPS mode on OpenSSL 3 |
FYI OpenSSL 1.1.1 (the last version before 3.0) is set to be EOL in less than 2 months. I first want to say I appreciate all the work that has gone into adding 3.0 support so far (as well as all the other work on this gem). From my limited perspective, it looks like full support is unlikely to be completed before the EOL deadline. Is this a reasonable assumption? If so, it seems like something many users will want to know ahead of time. |
Although the occasional OpenSSL-3.x issue is still spotted and fixed, according to https://github.com/ruby/openssl/blob/master/History.md OpenSSL 3.0 has been supported since v3.0.0 in Dec 24, 2021. Meanwhile projects that consume this library are looking at this issue still being open as a reason they can't support OpenSSL 3.x yet. Can this issue be marked closed? |
We also got confused by this open issue and the incomplete 3.0 milestone: https://github.com/ruby/openssl/milestone/2 |
Agreed, @rhenium are you OK to close this issue and the milestone? |
OpenSSL 3.0 is scheduled to be released later this year. It is a major version bump from 1.1 and contains architecture changes that affect Ruby/OpenSSL.
From https://www.openssl.org/policies/releasestrat.html:
The design is outlined in the web page:
https://www.openssl.org/docs/OpenSSL300Design.html
Unlike OpenSSL 1.0 -> 1.1, not so many changes are required to make it just compile, but a lot of deprecation warnings are generated while compiling and many test cases are currently failing when compiled against OpenSSL's master.
The text was updated successfully, but these errors were encountered: