ruby.git/ext/openssl/lib, branch v3_2_11 The Ruby Programming Language [ruby/openssl] ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store 2025-10-09T05:00:36+00:00 Kazuki Yamaguchi k@rhe.jp 2025-10-05T10:38:47+00:00 c38243e2c4e874d67b63431f9489f47ddfecdefd With OpenSSL 3.6.0, it causes nearly every certificate verification to fail with the message "certificate verify failed (unable to get certificate CRL)" because the CRLs are typically unavailable in the default store used by OpenSSL::SSL::SSLContext#set_params. OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be set to enable CRL checking. In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page and may be fixed in a future OpenSSL 3.6.x release, but this flag is not needed and should not be set by default. Fixes https://github.com/ruby/openssl/issues/949 https://github.com/ruby/openssl/commit/e8481cd687 
With OpenSSL 3.6.0, it causes nearly every certificate verification to
fail with the message "certificate verify failed (unable to get
certificate CRL)" because the CRLs are typically unavailable in the
default store used by OpenSSL::SSL::SSLContext#set_params.

OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL
checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag
alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be
set to enable CRL checking.

In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies
OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page
and may be fixed in a future OpenSSL 3.6.x release, but this flag is not
needed and should not be set by default.

Fixes https://github.com/ruby/openssl/issues/949

https://github.com/ruby/openssl/commit/e8481cd687
[ruby/openssl] Ruby/OpenSSL 3.1.0 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-12-22T23:52:24+00:00 2d2baaf2f46d447f64f4f8fd7cfa3a2a7eba69ed https://github.com/ruby/openssl/commit/c2f7d775c6 
https://github.com/ruby/openssl/commit/c2f7d775c6
[ruby/openssl] Undefine `OpenSSL::SSL` for no socket platforms 2022-12-23T00:39:15+00:00 Yuta Saito kateinoigakukun@gmail.com 2022-10-31T11:07:57+00:00 782777a803f990f688579db50c938d1a80a5f24a This fixes a linkage error about `ossl_ssl_type` on platforms which do not have socket, like WASI. Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56 However, due to some new use of OpenSSL::SSL::Socket over the past few years, the build under `OPENSSL_NO_SOCK` had been broken. This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`. [ky: adjusted to apply on top of my previous commit that removed the OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.] https://github.com/ruby/openssl/commit/b0cfac6a96 
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.

Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.

This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.

[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]

https://github.com/ruby/openssl/commit/b0cfac6a96
[ruby/openssl] Call out insecure PKCS #1 v1.5 default padding for RSA 2022-10-17T07:35:35+00:00 Bart de Water 496367+bdewater@users.noreply.github.com 2022-10-08T11:53:57+00:00 6166fa612cf798930863c7cca23dc96f46ab1c37 https://github.com/ruby/openssl/commit/fd5eaa6dfc 
https://github.com/ruby/openssl/commit/fd5eaa6dfc
[ruby/openssl] bump version number to 3.1.0.pre 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-08T15:28:55+00:00 04bf83d6f7c9999ea82e472e09a42286026194f9 https://github.com/ruby/openssl/commit/fceb978a5d 
https://github.com/ruby/openssl/commit/fceb978a5d
[ruby/openssl] Ruby/OpenSSL 3.0.1 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-09-08T09:34:26+00:00 cd83f5b961dfb5401d601c3b08ff3db9f02a5793 https://github.com/ruby/openssl/commit/e5bbd015dc 
https://github.com/ruby/openssl/commit/e5bbd015dc
[ruby/openssl] pkey/dsa: let PKey::DSA.generate choose appropriate q size 2022-10-17T07:35:35+00:00 Kazuki Yamaguchi k@rhe.jp 2022-01-04T13:11:00+00:00 10f93a8bd787658996f08b13a0e564eaf3f41489 DSA parameters generation via EVP_PKEY_paramgen() will not automatically adjust the size of q value but uses 224 bits by default unless specified explicitly. This behavior is different from the now-deprecated DSA_generate_parameters_ex(), which PKey::DSA.generate used to call. Fixes https://github.com/ruby/openssl/issues/483 Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17) https://github.com/ruby/openssl/commit/0105975a0b 
DSA parameters generation via EVP_PKEY_paramgen() will not automatically
adjust the size of q value but uses 224 bits by default unless specified
explicitly. This behavior is different from the now-deprecated
DSA_generate_parameters_ex(), which PKey::DSA.generate used to call.

Fixes https://github.com/ruby/openssl/issues/483

Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17)

https://github.com/ruby/openssl/commit/0105975a0b
[ruby/openssl] Ruby/OpenSSL 3.0.0 2021-12-24T18:31:59+00:00 Kazuki Yamaguchi k@rhe.jp 2021-12-24T18:01:01+00:00 efce9ecf72842fd2109a34a89b42933f8c841d93 https://github.com/ruby/openssl/commit/bff4080091 
https://github.com/ruby/openssl/commit/bff4080091
[ruby/openssl] pkey/dh: deprecate OpenSSL::PKey::DH#generate_key! 2021-12-20T14:42:02+00:00 Kazuki Yamaguchi k@rhe.jp 2021-10-22T07:24:07+00:00 0d698be04f6c76250706e8d56f542c3c7fca0fa7 OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because keys are made immutable. Users should use OpenSSL::PKey.generate_key instead. https://github.com/ruby/openssl/commit/8ee6a582c7 
OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.

https://github.com/ruby/openssl/commit/8ee6a582c7
[ruby/openssl] pkey/ec: avoid using EC#public_key= in EC#dh_compute_key 2021-12-20T14:42:01+00:00 Kazuki Yamaguchi k@rhe.jp 2021-12-16T17:22:25+00:00 50b90c5fc3480d3193c9cf161c2a6e71cc688189 Similarly to DH#compute_key, work around it by constructing a SubjectPublicKeyInfo. This should be considered as a temporary implementation. https://github.com/ruby/openssl/commit/fc9aabc18d 
Similarly to DH#compute_key, work around it by constructing a
SubjectPublicKeyInfo. This should be considered as a temporary
implementation.

https://github.com/ruby/openssl/commit/fc9aabc18d