ruby.git/ext/openssl/ossl_ssl.c, branch v3_3_11 The Ruby Programming Language [ruby/openssl] ssl: raise SSLError if loading ca_file or ca_path fails 2023-08-16T05:48:41+00:00 Kazuki Yamaguchi k@rhe.jp 2023-08-09T17:45:15+00:00 01d368e7b06ccf34f92c535a117a2856956d2bcb When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: https://github.com/ruby/openssl/issues/649 https://github.com/ruby/openssl/commit/7eb10f7b75 
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.

Also, OpenSSL's error queue is not correctly cleared:

	$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
	-e:1: warning: can't set verify locations
	["error:02001002:system library:fopen:No such file or directory",
	 "error:2006D080:BIO routines:BIO_new_file:no such file",
	 "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]

The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.

This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.

Fixes: https://github.com/ruby/openssl/issues/649

https://github.com/ruby/openssl/commit/7eb10f7b75
[ruby/openssl] ssl: adjust "certificate verify failed" error on SSL_ERROR_SYSCALL 2023-08-16T05:48:39+00:00 Kazuki Yamaguchi k@rhe.jp 2023-06-07T07:01:01+00:00 cb344e4e25c0979e2dfd1492fb91eef137bf059f Enrich SSLError's message with the low-level certificate verification result, even if SSL_get_error() returns SSL_ERROR_SYSCALL. This is currently done on SSL_ERROR_SSL only. According to the man page of SSL_get_error(), SSL_ERROR_SYSCALL may be returned for "other errors, check the error queue for details". This apparently means we have to treat SSL_ERROR_SYSCALL, if errno is not set, as equivalent to SSL_ERROR_SSL. https://github.com/ruby/openssl/commit/5113777e82 
Enrich SSLError's message with the low-level certificate verification
result, even if SSL_get_error() returns SSL_ERROR_SYSCALL. This is
currently done on SSL_ERROR_SSL only.

According to the man page of SSL_get_error(), SSL_ERROR_SYSCALL may be
returned for "other errors, check the error queue for details". This
apparently means we have to treat SSL_ERROR_SYSCALL, if errno is not
set, as equivalent to SSL_ERROR_SSL.

https://github.com/ruby/openssl/commit/5113777e82
[ruby/openssl] ssl: adjust styles of ossl_start_ssl() 2023-08-16T05:48:39+00:00 Kazuki Yamaguchi k@rhe.jp 2023-06-07T06:52:52+00:00 66a70582f4d7fea5dffac5925484640337d15e7f Expand tabs, insert some spaces, and adjust indentation of switch-case to match Ruby's style. https://github.com/ruby/openssl/commit/10833aa8f6 
Expand tabs, insert some spaces, and adjust indentation of switch-case
to match Ruby's style.

https://github.com/ruby/openssl/commit/10833aa8f6
[ruby/openssl] Implement Write Barrier for all OpenSSL types 2023-06-18T16:57:09+00:00 Jean Boussier jean.boussier@gmail.com 2023-03-13T08:51:53+00:00 1965c09ee50b5202d45462cd8bc6224ca6e45ae9 The vast majority have no reference so it's just a matter of setting the flags. For the couple exception, they have very little references so it's easy. https://github.com/ruby/openssl/commit/2c7c6de69e 
The vast majority have no reference so it's just a matter of setting the flags.

For the couple exception, they have very little references so it's
easy.

https://github.com/ruby/openssl/commit/2c7c6de69e
[ruby/openssl] Remove usage of IO internals. 2023-05-29T13:01:58+00:00 Samuel Williams samuel.williams@oriontransfer.co.nz 2023-05-29T13:01:58+00:00 98f500d0958d12b1909f4638abf33682d75f3fe6 






[ruby/openssl] Undefine `OpenSSL::SSL` for no socket platforms
2022-12-23T00:39:15+00:00

Yuta Saito
kateinoigakukun@gmail.com

2022-10-31T11:07:57+00:00

782777a803f990f688579db50c938d1a80a5f24a

This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.

Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.

This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.

[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]

https://github.com/ruby/openssl/commit/b0cfac6a96





This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.

Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.

This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.

[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]

https://github.com/ruby/openssl/commit/b0cfac6a96







[ruby/openssl] ssl: remove OpenSSL::ExtConfig
2022-12-23T00:39:15+00:00

Kazuki Yamaguchi
k@rhe.jp

2022-12-22T19:34:43+00:00

e6ca6443299b48f906662b438e5267d876d21a1e

This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.

OPENSSL_NO_SOCK is unused since commit https://github.com/ruby/openssl/commit/998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit https://github.com/ruby/openssl/commit/4eb4b3297a92.

https://github.com/ruby/openssl/commit/eed3894bda





This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.

OPENSSL_NO_SOCK is unused since commit https://github.com/ruby/openssl/commit/998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit https://github.com/ruby/openssl/commit/4eb4b3297a92.

https://github.com/ruby/openssl/commit/eed3894bda







[ruby/openssl] ssl: disable NPN support on LibreSSL
2022-12-23T00:39:15+00:00

Kazuki Yamaguchi
k@rhe.jp

2022-10-17T08:33:37+00:00

dd6f3276e07f8f731a3bbcbdd58525ee6dd6581e

As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.

Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.

NPN is less relevant today anyway. Let's also silence test suite when
it's not available.

https://github.com/ruby/openssl/commit/289f6e0e1f





As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.

Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.

NPN is less relevant today anyway. Let's also silence test suite when
it's not available.

https://github.com/ruby/openssl/commit/289f6e0e1f







[ruby/openssl] ssl: update TLS1_3_VERSION workaround for older LibreSSL versions
2022-12-23T00:39:15+00:00

Kazuki Yamaguchi
k@rhe.jp

2022-10-17T07:52:46+00:00

d6c16dd3e67ea5aa58a2f17dc8aa8aa977ded99a

The macro is now defined by default in LibreSSL 3.4+. Let's document it
for future readers.

https://github.com/ruby/openssl/commit/935698e9f9





The macro is now defined by default in LibreSSL 3.4+. Let's document it
for future readers.

https://github.com/ruby/openssl/commit/935698e9f9







[ruby/openssl] Constify when building with OpenSSL 3
2022-12-23T00:39:15+00:00

Nobuyoshi Nakada
nobu@ruby-lang.org

2022-07-08T15:17:25+00:00

d7d1bb3e871108b787d67da1f0d11d317bdfacf7

https://github.com/ruby/openssl/commit/c0023822fe





https://github.com/ruby/openssl/commit/c0023822fe