-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.1.1 compatibility #2388
Comments
FYI, using
I noticed the message <"SSL_read: tlsv1 alert decrypt error">. Was it built with TLSv1 support? Finally, 2.5.1 uses Ruby OpenSSL 2.1.0. Have you tried installing the openssl gem, which is 2.1.1? If that worked... |
I probably should have let everyone here know... The Appveyor trunk build has been using OpenSSL 1.1.1 since For a couple of weeks, I tested locally using OpenSSL 1.1.1, building & testing trunk, and also building & testing Puma & EventMachine. All were stable, so I added it to trunk. I'm updating the OpenSSL package once or twice a week until release. I'll see issues right away in the RubyGems tests in the Ruby Thanks, Greg |
I did a "don't try this at home", and swapped OpenSSL dll's from 1.1.0 to 1.1.1. Using 2.5.1, all tests in this repo passed. I tried it with both the default 2.5.1 OpenSSL (2.1.0) and also with a gem built yesterday from Ruby OpenSSL master (2.1.1+?). Both were built using 1.1.0, but both work with the 1.1.1 dll's. I'm not sure what might be causing the different results. I haven't tried building 2.5.1 from scratch. FYI, the 'SSL check script' also 'passed'. As mentioned above, below is OpenSSL version info:
|
Probably different configuration? These are the settings from Fedora Rawhide:
I am not OpenSSL expert, so I dunno how they are actually applied, but I guess that OPENSSL_CONF env var could be the env variable to provide configuration overrides. |
For any of the deep SSL stuff I have google open and probably some man pages. I thought that there aren't a lot of restrictions that can be set thru the OpenSSL conf file. But, if that's the case, why would they affect Ruby? So, I'm confused... BTW, what is the output from:
|
|
Is what I had to do on Ubuntu. I'm compiling openssl 1.1.1 with ruby2.5.1 with backported ruby-openssl 2.1.1 with TLS security level lowered to 0 in openssl. This seems to work when compiling against both openssl 1.1.0 and 1.1.1. I suspect that maybe the invalid client cert, is not good enough for tls 1.3 / openssl 1.1.1? or the authentication fails async, thus openssl exception is raised first, or something like that. |
OpenSSL 1.1.1 is now the standard MinGW package on Appveyor, and Ruby 2.5.3 and ruby-loco (trunk) are both build with 1.1.1. The above test recently failed on a 2.5.3 job. But, given that the same test is ran with every ruby/ruby build, every ruby-loco build, and every RubyGems build, it is an intermittent issue. I added a message to the issue mentioned above... |
Sorry for the ping, but this involves ruby/ruby, RubyGems, & ruby/openssl. I've had this error
in my RG fork, and I just had it in ruby-loco test-all. It is intermittent and only appears when using OpenSSL 1.1.1 (TLSv1_3). From what I can tell, the error is originating in one of the OpenSSL dll's, passing thru ruby/openssl, ruby/net/http, ending up raised in RG. I believe the method Gem::Request#perform_request (which has several rescue statements) would need to have a rescue for As mentioned above, there is an open issue in ruby/openssl #227. I believe with normal Appveyor & Travis CI, the only way to use OpenSSL 1.1.1 is via Appveyor Ruby 2.5.3 or ruby-loco. Travis Ubuntu is using 1.0.1 (why?), and Travis OSX uses 1.1.0. Ruby trunk MinGW is built/tested with 1.1.1 (mswin is still using 1.0.2, although 1.1.1 is available). JFYI, from work in another repo that compiles with OpenSSL, the order of the handshakes cb's changes between TLSv1_2 and TLSv1_3. Also, in the above test, I believe the call that generates the error in TLSv1_2 is from After all that, if I did a PR, should I use |
This is likely resolved by #2507 |
OpenSSL 1.1.1 have landed in Fedora Rawhide:
Running Ruby 2.5.1 test suite, I observe the following error:
Originally, I reported the test suite issues here [1] and all except this one were already fixed. Just FTR, here is the output of your SSL check script:
The text was updated successfully, but these errors were encountered: