ruby.git/ext/openssl, branch v3_2_11

[ruby/openssl] ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store

2025-10-09T05:00:36+00:00

With OpenSSL 3.6.0, it causes nearly every certificate verification to
fail with the message "certificate verify failed (unable to get
certificate CRL)" because the CRLs are typically unavailable in the
default store used by OpenSSL::SSL::SSLContext#set_params.

OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL
checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag
alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be
set to enable CRL checking.

In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies
OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page
and may be fixed in a future OpenSSL 3.6.x release, but this flag is not
needed and should not be set by default.

Fixes https://github.com/ruby/openssl/issues/949

https://github.com/ruby/openssl/commit/e8481cd687

merge revision(s) d2cd903c85f38f42c6aefc6d97a1558f74d8d9db:

2024-03-10T10:12:31+00:00

	[ruby/openssl] pkey/ec: constify

	https://github.com/ruby/openssl/commit/6fb3499a7b
	---
	 ext/openssl/ossl_pkey_ec.c | 2 +-
	 1 file changed, 1 insertion(+), 1 deletion(-)

Revert the additional change from openssl-3.1.0

2022-12-23T10:37:24+00:00

  Revert "[ruby/openssl] pkey/ec: constify"

  This reverts commit d2cd903c85f38f42c6aefc6d97a1558f74d8d9db.

[ruby/openssl] pkey/ec: constify

2022-12-23T02:42:15+00:00

https://github.com/ruby/openssl/commit/6fb3499a7b

[ruby/openssl] Ruby/OpenSSL 3.1.0

2022-12-23T00:39:15+00:00

https://github.com/ruby/openssl/commit/c2f7d775c6

[ruby/openssl] Ruby/OpenSSL 3.0.2

2022-12-23T00:39:15+00:00

https://github.com/ruby/openssl/commit/48b79333e0

[ruby/openssl] Ruby/OpenSSL 2.2.3

2022-12-23T00:39:15+00:00

https://github.com/ruby/openssl/commit/04acccd692

[ruby/openssl] pkey/ec: check private key validity with OpenSSL 3

2022-12-23T00:39:15+00:00

The behavior of EVP_PKEY_public_check changed between OpenSSL 1.1.1
and 3.0 so that it no longer validates the private key. Instead, private
keys can be validated through EVP_PKEY_private_check and
EVP_PKEY_pairwise_check.

[ky: simplified condition to use either EVP_PKEY_check() or
EVP_PKEY_public_check().]

https://github.com/ruby/openssl/commit/e38a63ab3d

[ruby/openssl] Undefine `OpenSSL::SSL` for no socket platforms

2022-12-23T00:39:15+00:00

This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.

Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
https://github.com/ruby/ruby/commit/ee22fad45d394818690c4a7586d7bb576ba67c56
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.

This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.

[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]

https://github.com/ruby/openssl/commit/b0cfac6a96

[ruby/openssl] ssl: remove OpenSSL::ExtConfig

2022-12-23T00:39:15+00:00

This module was introduced in 2015 for internal use within this library.
Neither of the two constants in it is used anymore. I don't think we
will be adding a new constant in the foreseeable future, either.

OPENSSL_NO_SOCK is unused since commit https://github.com/ruby/openssl/commit/998d66712a78 (r55191).
HAVE_TLSEXT_HOST_NAME is unused since commit https://github.com/ruby/openssl/commit/4eb4b3297a92.

https://github.com/ruby/openssl/commit/eed3894bda