please document status with regards to ext/openssl from Ruby

[terceiro]

Hi,

First of all thanks for your work on openssl.

I am one of the Ruby maintainers in Debian, where we need to move on to OpenSSL 1.1.0. But based on the discussion on Ruby bug #12324 (OpenSSL 1.1.0 support) it seems that backporting that to Ruby 2.3 might be tricky.

It has been suggested as one option that Debian stops building ext/openssl that comes bundled with Ruby, and includes this openssl package instead. In principle that sounds like a perfect alternative, because openssl can then be fixed independently of Ruby), but there are a few issues that prevent me from doing that:

• there has been no releases of openssl, at all (rubygem.org says "Don't install this!")
• I don't know how the handling of security issues in openssl works (while Ruby itself has at least some sane solid security procedures).
• it's not clear how (in)compatible openssl is wrt the version bundled with Ruby. e.g. can I as distributor rely on it being a drop-in replacement for the bundled openssl library? (now, or even in some future)

Can you please clarify those points?

[zzak]

This is something I definitely need to write/work on.

Thanks for bringing this up and making a formal ticket for it!

[rhenium]

• there has been no releases of openssl, at all (rubygem.org says "Don't install this!")

I'd like to include gemified ext/openssl in Ruby 2.4.0-preview2 which will be released on September, at least.

https://bugs.ruby-lang.org/projects/ruby-trunk/wiki/ReleaseEngineering24

• I don't know how the handling of security issues in openssl works (while Ruby itself has at least some sane solid security procedures).

I don't know if this has been discussed...

• it's not clear how (in)compatible openssl is wrt the version bundled with Ruby. e.g. can I as distributor rely on it being a drop-in replacement for the bundled openssl library? (now, or even in some future)

As far as I can recall, the following changes can affect existing code.

• f8eec6b (openssl: make Cipher#key= and #iv= reject too long values)

The followings are due to the incompatibilities in OpenSSL 1.1.0.

• fcb9b4a (openssl: add SSLContext#ecdh_curves=)
• 77b4850 (openssl: check existence of RAND_pseudo_bytes())
• 7ea72f1 (openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structs)

I'm sorry as I did suggest you switching to openssl gem, it might not be the best choice for a Ruby 2.3 package... f8eec6b will break existing Rails applications, and it might be also a problem that the user can't load openssl without rubygems.

[zzak]

I believe this can be closed now 🙇

[terceiro]

@zzak thanks, it looks good to me! I am looking forward to shipping openssl as a separate module with Ruby 2.4+ (which will only happen for Debian 10 as Debian 9 will ship Ruby 2.3).

@rhenium do you think the 3 commits you linked to (fcb9b4a (openssl: add SSLContext#ecdh_curves=), 77b4850 (openssl: check existence of RAND_pseudo_bytes()), and 7ea72f1 (openssl: adapt OpenSSL::PKey to OpenSSL 1.1.0 opaque structs)) could be backported to Ruby 2.3?

[rhenium]

@terceiro They 3 changes are necessary to make it compile with OpenSSL 1.1.0. As for the second one (77b4850), the removed OpenSSL::Random.pseudo_bytes can be changed to an alias for OpenSSL::Random.random_bytes. I don't think there is a way to provide shims for others.

I'm closing this issue, but let me know if there is anything I can help!