ruby.git/ext/openssl/lib, branch v3_4_9 The Ruby Programming Language Update openssl gem to 3.3.1 for Ruby 3.4 (#14792) 2025-10-09T14:32:47+00:00 Bo Anderson mail@boanderson.me 2025-10-09T14:32:47+00:00 fce44db5eb7baf1ddd2238254c3cf617fcfd1112 Update openssl gem to 3.3.1 [Backport #21631] 
Update openssl gem to 3.3.1

[Backport #21631]
 [ruby/openssl] Ruby/OpenSSL 3.3.0 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-18T14:04:35+00:00 9e3e1c7fc9dddb61de4867ad786e86958d11b33c https://github.com/ruby/openssl/commit/e5153dbbb4 
https://github.com/ruby/openssl/commit/e5153dbbb4
[ruby/openssl] ssl: do not clear existing SSL options in SSLContext#set_params 2024-12-07T08:15:08+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T18:01:54+00:00 c9bbf7e3eba9d42983d89b07273f4f31e9ca8d0e Apply SSL options set in DEFAULT_PARAMS without clearing existing options. It currently clears options in order to avoid setting one of the options included in OpenSSL::SSL::OP_ALL unless explicitly specified, namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is no longer necessary. https://github.com/ruby/openssl/commit/77c3db2d65 
Apply SSL options set in DEFAULT_PARAMS without clearing existing
options.

It currently clears options in order to avoid setting one of the
options included in OpenSSL::SSL::OP_ALL unless explicitly specified,
namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that
OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is
no longer necessary.

https://github.com/ruby/openssl/commit/77c3db2d65
[ruby/openssl] ssl: do not enable OpenSSL::SSL::OP_ALL by default 2024-12-07T08:15:08+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T17:29:46+00:00 510c190739b83cfa4fdb56e9d9c0578af25c9c6a Respect the SSL options set by default by SSL_CTX() and by the system-wide OpenSSL configuration file. OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL on top of the default SSL options. Let's stop doing it. OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior to workaround various TLS implementation bugs. Using it is considered usually safe, but is not completely harmless. https://github.com/ruby/openssl/commit/00bec0d905 
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.

OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.

OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.

https://github.com/ruby/openssl/commit/00bec0d905
[ruby/openssl] x509: fix handling of multiple URIs in Certificate#crl_uris 2024-11-14T02:21:39+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-09T12:15:11+00:00 419fb2f3b94d8b7ccb462177667070e13ed9df8a The implementation of OpenSSL::X509::Certificate#crl_uris makes the assumption that each DistributionPoint in the CRL distribution points extension contains a single general name of type URI. This is not guaranteed by RFC 5280. A DistributionPoint may contain zero or more than one URIs. Let's include all URIs found in the extension. If only non-URI pointers are found, return nil. Fixes: https://github.com/ruby/openssl/issues/775 https://github.com/ruby/openssl/commit/71f4fef2fa 
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may contain zero or more
than one URIs.

Let's include all URIs found in the extension. If only non-URI pointers
are found, return nil.

Fixes: https://github.com/ruby/openssl/issues/775

https://github.com/ruby/openssl/commit/71f4fef2fa
[ruby/openssl] Add SSLSocket#readbyte 2024-07-03T08:54:18+00:00 Grant Gardner grant@lastweekend.com.au 2024-06-30T14:25:45+00:00 4d4ac00123aa21d3027bcd0aa0242c1bc129837e Companion to getbyte but raise EOFError Similar to https://github.com/ruby/openssl/pull/438 https://github.com/ruby/openssl/commit/c40f70711a 
Companion to getbyte but raise EOFError
Similar to https://github.com/ruby/openssl/pull/438

https://github.com/ruby/openssl/commit/c40f70711a
[ruby/openssl] rewriting most of the asn1 init code in ruby 2024-06-27T16:00:55+00:00 HoneyryderChuck cardoso_tiago@hotmail.com 2024-04-16T17:07:56+00:00 9c5e9d29f0c9b025577cb72b421b9682bfadcd37 to have as much of the lib in ruby as possible https://github.com/ruby/openssl/commit/8305051728 
to have as much of the lib in ruby as possible

https://github.com/ruby/openssl/commit/8305051728
[ruby/openssl] Fix references to the license text 2024-06-08T10:59:17+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-01T08:10:44+00:00 69c0b1438a45938e79e63407035f116de4634dcb Update the references to the file "LICENCE" with "COPYING". The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has been always the case since OpenSSL for Ruby 2 was merged to the ruby tree as a standard library in 2003. In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained an old version of the Ruby License, identical to the COPYING file that was in Ruby's tree at that time (r4128[2]). [1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup [2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING https://github.com/ruby/openssl/commit/5bccf07d04 
Update the references to the file "LICENCE" with "COPYING".

The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.

In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).

[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING

https://github.com/ruby/openssl/commit/5bccf07d04
[ruby/openssl] Fix performance regression in do_write(s) 2024-05-02T07:24:36+00:00 Jaymz Julian jaymzjulian@meta.com 2024-02-05T23:00:47+00:00 d39993a4ce15004d98a450dd71bb804fd0e37182 This causes significant performance issues when using large (>10meg) writes Fix by adjusting the buffer write function to clear the buffer once, rather than piece by piece, avoiding a case where a large write (in our case, around 70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit ethernet and 6% cpu utlization. https://github.com/ruby/openssl/commit/d4389b425d 
This causes significant performance issues when using large (>10meg) writes

Fix by adjusting the buffer write function to clear the buffer once, rather than
piece by piece, avoiding a case where a large write (in our case, around
70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL
from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit
ethernet and 6% cpu utlization.

https://github.com/ruby/openssl/commit/d4389b425d
[ruby/openssl] Further clarification of documentation. 2024-04-30T14:51:59+00:00 Samuel Williams samuel.williams@oriontransfer.co.nz 2024-04-28T06:09:49+00:00 368ce0758e1f4c0fd38ae08297f432c0a9589d4a https://github.com/ruby/openssl/commit/0697f2f8b4 
https://github.com/ruby/openssl/commit/0697f2f8b4