ruby.git/ext/openssl/lib, branch v4.0.4 The Ruby Programming Language [ruby/openssl] Ruby/OpenSSL 4.0.0 2025-12-15T09:50:30+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-14T10:10:04+00:00 f0793731853c0e130f798e9dc5c736b2fa1b72b7 https://github.com/ruby/openssl/commit/5af1edab18 
https://github.com/ruby/openssl/commit/5af1edab18
[ruby/openssl] ossl.c: improve docs for constants and methods under ::OpenSSL 2025-12-15T09:09:49+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-08T19:01:58+00:00 f06eb75646e7a8d17d9c41988207a2a29a3b006c https://github.com/ruby/openssl/commit/b0de8ba9bd 
https://github.com/ruby/openssl/commit/b0de8ba9bd
[ruby/openssl] x509cert: handle invalid validity periods in Certificate#inspect 2025-12-05T18:40:02+00:00 Kazuki Yamaguchi k@rhe.jp 2025-12-05T18:33:12+00:00 8c4f79d5f30fb2fe647c4f3fd262a5fdeacaeca2 In a newly allocated OpenSSL X509 object, the notBefore and notAfter fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than an ASN1_TIME. Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises an exception if the argument is not an ASN1_TIME. Previously, it would print a verbose-mode warning and return nil. OpenSSL::X509::Certificate#inspect should work even when the certificate is invalid. Let's handle this. https://github.com/ruby/openssl/commit/18c283f2b6 
In a newly allocated OpenSSL X509 object, the notBefore and notAfter
fields contain an ASN1_STRING object with type V_ASN1_UNDEF rather than
an ASN1_TIME.

Commit https://github.com/ruby/openssl/commit/73484f67949a made asn1time_to_time() stricter and it now raises
an exception if the argument is not an ASN1_TIME. Previously, it would
print a verbose-mode warning and return nil.

OpenSSL::X509::Certificate#inspect should work even when the certificate
is invalid. Let's handle this.

https://github.com/ruby/openssl/commit/18c283f2b6
[ruby/openssl] Revert "rewriting most of the asn1 init code in ruby" 2025-12-04T17:32:37+00:00 Kazuki Yamaguchi k@rhe.jp 2025-11-18T13:40:42+00:00 6fe1c1591106ef428f42cd5601be1cab994dae9a This reverts commit https://github.com/ruby/openssl/commit/830505172882. The commit is part of the bigger effort to rewrite OpenSSL::ASN1 in Ruby. OpenSSL::ASN1 is relatively isolated from the rest of ruby/openssl and is not tightly bound to the OpenSSL API. The current implementation also needs a major refactor for several reasons, so this remains a long-term goal. However, the work is not yet complete. We are close to releasing v4.0.0, and we want to avoid shipping fragmented code in a stable branch. The changes can be reapplied when the rest is ready. https://github.com/ruby/openssl/commit/362942dcbf 
This reverts commit https://github.com/ruby/openssl/commit/830505172882.

The commit is part of the bigger effort to rewrite OpenSSL::ASN1 in
Ruby. OpenSSL::ASN1 is relatively isolated from the rest of ruby/openssl
and is not tightly bound to the OpenSSL API. The current implementation
also needs a major refactor for several reasons, so this remains a
long-term goal.

However, the work is not yet complete. We are close to releasing v4.0.0,
and we want to avoid shipping fragmented code in a stable branch. The
changes can be reapplied when the rest is ready.

https://github.com/ruby/openssl/commit/362942dcbf
[ruby/openssl] pkey: unify error classes into PKeyError 2025-11-06T13:33:15+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-02T14:23:20+00:00 16b1aa4e4ab1b81914c58eae8b2f31c963b4bd4c Remove the following subclasses of OpenSSL::PKey::PKeyError and make them aliases of it. - OpenSSL::PKey::DHError - OpenSSL::PKey::DSAError - OpenSSL::PKey::ECError - OpenSSL::PKey::RSAError Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise their respective exception classes. However, this distinction is not particularly useful since all those exception classes represent the same kind of errors from the underlying EVP_PKEY API. I think this convention comes from the fact that OpenSSL::PKey::{DH, DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA, and RSA, before they were unified to wrap EVP_PKEY, way back in 2002. OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error are out of scope of this change, as they are not subclasses of OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY API. https://github.com/ruby/openssl/commit/e74ff3e272 
Remove the following subclasses of OpenSSL::PKey::PKeyError and make
them aliases of it.

 - OpenSSL::PKey::DHError
 - OpenSSL::PKey::DSAError
 - OpenSSL::PKey::ECError
 - OpenSSL::PKey::RSAError

Historically, methods defined on OpenSSL::PKey and OpenSSL::PKey::PKey
raise OpenSSL::PKey::PKeyError, while methods on the subclasses raise
their respective exception classes. However, this distinction is not
particularly useful since all those exception classes represent the
same kind of errors from the underlying EVP_PKEY API.

I think this convention comes from the fact that OpenSSL::PKey::{DH,
DSA,RSA} originally wrapped the corresponding OpenSSL structs DH, DSA,
and RSA, before they were unified to wrap EVP_PKEY, way back in 2002.

OpenSSL::PKey::EC::Group::Error and OpenSSL::PKey::EC::Point::Error
are out of scope of this change, as they are not subclasses of
OpenSSL::PKey::PKeyError and do not represent errors from the EVP_PKEY
API.

https://github.com/ruby/openssl/commit/e74ff3e272
[ruby/openssl] ssl: allow SSLContext#set_params to be used from non-main Ractors 2025-10-08T14:27:16+00:00 Kazuki Yamaguchi k@rhe.jp 2025-08-01T15:48:38+00:00 a8b34d9a9beb5c8edb59acf045968795c12d87b8 Freeze OpenSSL::SSL::SSLContext::DEFAULT_PARAMS so that it becomes Ractor-shareable. Also, prepare a new OpenSSL::X509::Store in Ractor-local storage, if called from a non-main Ractor. OpenSSL::X509::Store currently is not a shareable object. https://github.com/ruby/openssl/commit/3d5271327c 
Freeze OpenSSL::SSL::SSLContext::DEFAULT_PARAMS so that it becomes
Ractor-shareable.

Also, prepare a new OpenSSL::X509::Store in Ractor-local storage, if
called from a non-main Ractor. OpenSSL::X509::Store currently is not a
shareable object.

https://github.com/ruby/openssl/commit/3d5271327c
[ruby/openssl] ssl: refactor tmp_dh_callback handling 2025-10-08T13:59:39+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-20T13:28:04+00:00 e4f12808318d743642e6c0a579b35df2eededd3c tmp_dh_callback no longer has a default value. It also no longer has to share code with tmp_ecdh_callback, which has been removed in v3.0.0. https://github.com/ruby/openssl/commit/b7cde6df2a 
tmp_dh_callback no longer has a default value. It also no longer has to
share code with tmp_ecdh_callback, which has been removed in v3.0.0.

https://github.com/ruby/openssl/commit/b7cde6df2a
[ruby/openssl] ssl: use SSL_CTX_set_dh_auto() by default 2025-10-08T13:59:39+00:00 Kazuki Yamaguchi k@rhe.jp 2025-04-20T11:26:00+00:00 ea79fe225cc28960595b53cf20e698ec5bbddb0e Rely on OpenSSL's builtin DH parameters for TLS 1.2 and earlier instead of providing a default SSLContext#tmp_dh_callback proc. SSL_CTX_set_dh_auto() has been available since OpenSSL 1.1.0. The parameters can still be overridden by specifying SSLContext#tmp_dh_callback or #tmp_dh, as confirmed by existing tests. SSLContext#tmp_dh_callback depends on a deprecated OpenSSL feature. We also prefer not to hard-code parameters, which is a maintenance burden. This change also improves Ractor compatibility by removing the unshareable proc. https://github.com/ruby/openssl/commit/9cfec9bf5e 
Rely on OpenSSL's builtin DH parameters for TLS 1.2 and earlier instead
of providing a default SSLContext#tmp_dh_callback proc.
SSL_CTX_set_dh_auto() has been available since OpenSSL 1.1.0.

The parameters can still be overridden by specifying
SSLContext#tmp_dh_callback or #tmp_dh, as confirmed by existing tests.

SSLContext#tmp_dh_callback depends on a deprecated OpenSSL feature. We
also prefer not to hard-code parameters, which is a maintenance burden.
This change also improves Ractor compatibility by removing the
unshareable proc.

https://github.com/ruby/openssl/commit/9cfec9bf5e
[ruby/openssl] Bump version number to 4.0.0.pre 2025-10-06T08:02:44+00:00 Kazuki Yamaguchi k@rhe.jp 2025-10-06T07:59:35+00:00 33808e0f7ccff30fd1d0d9565f0c15690d6e55c7 https://github.com/ruby/openssl/commit/64f4aae6bd 
https://github.com/ruby/openssl/commit/64f4aae6bd
[ruby/openssl] Ruby/OpenSSL 3.3.1 2025-10-06T07:56:55+00:00 Kazuki Yamaguchi k@rhe.jp 2025-10-06T07:16:57+00:00 224c17876ca5e9ae9aed9d9a219c74e22e79be11 https://github.com/ruby/openssl/commit/2b88a6d444 
https://github.com/ruby/openssl/commit/2b88a6d444