Commits on Aug 10, 2023

1. ssl: raise SSLError if loading ca_file or ca_path fails …

   When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
   does not raise an exception on an error return from
   SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
   warning. This is not helpful since it very likely indicates an actual
   error, such as the specified file not being readable.
   
   Also, OpenSSL's error queue is not correctly cleared:
   
   	$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
   	-e:1: warning: can't set verify locations
   	["error:02001002:system library:fopen:No such file or directory",
   	 "error:2006D080:BIO routines:BIO_new_file:no such file",
   	 "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]
   
   The behavior is currently different when compiled with OpenSSL >= 3.0:
   SSLError is raised if SSL_CTX_load_verify_file() or
   SSL_CTX_load_verify_dir() fails.
   
   This inconsistency was unintentionally introduced by commit 5375a55
   ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
   However, raising SSLError seems more appropriate in this situation.
   Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
   as the OpenSSL >= 3.0 code currently does.
   
   Fixes: ruby#649

   

   rhenium committed Aug 10, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 7eb10f7
   • Browse repository at this point

   Copy the full SHA

   7eb10f7 View commit details

   Browse the repository at this point in the history