ruby.git/ext/openssl/ossl_ssl.c, branch v3_4_9 The Ruby Programming Language Update openssl gem to 3.3.1 for Ruby 3.4 (#14792) 2025-10-09T14:32:47+00:00 Bo Anderson mail@boanderson.me 2025-10-09T14:32:47+00:00 fce44db5eb7baf1ddd2238254c3cf617fcfd1112 Update openssl gem to 3.3.1 [Backport #21631] 
Update openssl gem to 3.3.1

[Backport #21631]
 [ruby/openssl] ssl: improve documentation of SSLContext#options= 2024-12-07T08:15:07+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T17:26:18+00:00 33196b7ab007c82ebd3fa3759850b1ddc10d50ef https://github.com/ruby/openssl/commit/9120fcde6a 
https://github.com/ruby/openssl/commit/9120fcde6a
[ruby/openssl] Mark variables and functions as static whenever possible 2024-12-07T07:55:47+00:00 Kazuki Yamaguchi k@rhe.jp 2024-10-29T19:03:05+00:00 1df63d9451459209c00f5e8db033f18d145cc741 https://github.com/ruby/openssl/commit/85d6b7f192 
https://github.com/ruby/openssl/commit/85d6b7f192
[ruby/openssl] ssl: handle callback exceptions in SSLSocket#sysread and #syswrite 2024-12-07T07:37:32+00:00 Kazuki Yamaguchi k@rhe.jp 2024-11-24T05:45:12+00:00 06fc13a15c72ecf77a638b45ea325d945bc7cc6d Check the ID_callback_state ivar after SSL_read() or SSL_write() returns, similar to what ossl_start_ssl() does. Previously, callbacks that can raise a Ruby exception were only called from ossl_start_ssl(). This has changed in OpenSSL 1.1.1. Particularly, the session_new_cb will be called whenever a client receives a NewSessionTicket message, which can happen at any time during a TLS 1.3 connection. https://github.com/ruby/openssl/commit/aac9ce1304 
Check the ID_callback_state ivar after SSL_read() or SSL_write()
returns, similar to what ossl_start_ssl() does.

Previously, callbacks that can raise a Ruby exception were only called
from ossl_start_ssl(). This has changed in OpenSSL 1.1.1. Particularly,
the session_new_cb will be called whenever a client receives a
NewSessionTicket message, which can happen at any time during a TLS 1.3
connection.

https://github.com/ruby/openssl/commit/aac9ce1304
[ruby/openssl] ssl: fix potential exception in servername_cb 2024-12-07T07:36:19+00:00 Kazuki Yamaguchi k@rhe.jp 2024-11-14T15:43:14+00:00 19acb3af2eb3dbad5f6ed2b56299298f968810fd ssl_servername_cb() is a callback function called from OpenSSL and Ruby exceptions must not be raised from it. Allocate the Array within rb_protect(). https://github.com/ruby/openssl/commit/3a2bf74d35 
ssl_servername_cb() is a callback function called from OpenSSL and Ruby
exceptions must not be raised from it. Allocate the Array within
rb_protect().

https://github.com/ruby/openssl/commit/3a2bf74d35
[ruby/openssl] ssl: remove redundant ossl_ssl_ex_vcb_idx 2024-10-31T08:28:34+00:00 Kazuki Yamaguchi k@rhe.jp 2024-09-05T10:01:14+00:00 339a8dd5e7da99e82129bcb7f8191f870e0866aa The SSL ex_data index is used for storing the verify_callback Proc. The only user of it, ossl_ssl_verify_callback(), can find the callback by looking at the SSLContext object which is always known. https://github.com/ruby/openssl/commit/3a3d6e258b 
The SSL ex_data index is used for storing the verify_callback Proc. The
only user of it, ossl_ssl_verify_callback(), can find the callback by
looking at the SSLContext object which is always known.

https://github.com/ruby/openssl/commit/3a3d6e258b
[ruby/openssl] Fix references to the license text 2024-06-08T10:59:17+00:00 Kazuki Yamaguchi k@rhe.jp 2024-05-01T08:10:44+00:00 69c0b1438a45938e79e63407035f116de4634dcb Update the references to the file "LICENCE" with "COPYING". The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has been always the case since OpenSSL for Ruby 2 was merged to the ruby tree as a standard library in 2003. In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained an old version of the Ruby License, identical to the COPYING file that was in Ruby's tree at that time (r4128[2]). [1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup [2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING https://github.com/ruby/openssl/commit/5bccf07d04 
Update the references to the file "LICENCE" with "COPYING".

The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.

In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).

[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] https://github.com/ruby/ruby/blob/231247c010acba191b78ed2d1310c935e63ad919/COPYING

https://github.com/ruby/openssl/commit/5bccf07d04
[ruby/openssl] read: don't clear buffer when nothing can be read 2024-05-05T08:00:00+00:00 Jean Boussier jean.boussier@gmail.com 2024-04-16T12:52:58+00:00 7d42010fad4be2dbb26bd7608a75aa1c51d5f9ef To be consistent with regular Ruby IOs: ```ruby r, _ = IO.pipe buf = "garbage".b r.read_nonblock(10, buf, exception: false) # => :wait_readable p buf # => "garbage" ``` Ref: https://github.com/redis-rb/redis-client/commit/98b8944460a11f8508217bda71cfc10cb2190d4d https://github.com/ruby/openssl/commit/08452993d6 
To be consistent with regular Ruby IOs:

```ruby
r, _ = IO.pipe
buf = "garbage".b
r.read_nonblock(10, buf, exception: false) # => :wait_readable
p buf # => "garbage"
```

Ref: https://github.com/redis-rb/redis-client/commit/98b8944460a11f8508217bda71cfc10cb2190d4d

https://github.com/ruby/openssl/commit/08452993d6
[ruby/openssl] Add support for IO#timeout. 2024-01-17T17:09:03+00:00 Samuel Williams samuel.williams@oriontransfer.co.nz 2024-01-17T17:08:59+00:00 4f634d3c85ca45b5995c1f37619784c99f2be62c (https://github.com/ruby/openssl/pull/714) * Add support for IO#timeout. https://github.com/ruby/openssl/commit/3bbf5178a9 
(https://github.com/ruby/openssl/pull/714)

* Add support for IO#timeout.

https://github.com/ruby/openssl/commit/3bbf5178a9
[ruby/openssl] ssl: raise SSLError if loading ca_file or ca_path fails 2023-08-16T05:48:41+00:00 Kazuki Yamaguchi k@rhe.jp 2023-08-09T17:45:15+00:00 01d368e7b06ccf34f92c535a117a2856956d2bcb When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: https://github.com/ruby/openssl/issues/649 https://github.com/ruby/openssl/commit/7eb10f7b75 
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.

Also, OpenSSL's error queue is not correctly cleared:

	$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
	-e:1: warning: can't set verify locations
	["error:02001002:system library:fopen:No such file or directory",
	 "error:2006D080:BIO routines:BIO_new_file:no such file",
	 "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]

The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.

This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.

Fixes: https://github.com/ruby/openssl/issues/649

https://github.com/ruby/openssl/commit/7eb10f7b75