ruby.git/test/openssl, branch v3_4_9 The Ruby Programming Language Update openssl gem to 3.3.1 for Ruby 3.4 (#14792) 2025-10-09T14:32:47+00:00 Bo Anderson mail@boanderson.me 2025-10-09T14:32:47+00:00 fce44db5eb7baf1ddd2238254c3cf617fcfd1112 Update openssl gem to 3.3.1 [Backport #21631] 
Update openssl gem to 3.3.1

[Backport #21631]
 [ruby/openssl] ssl: fix flaky test case test_ctx_client_session_cb_tls13_exception 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-20T11:48:54+00:00 2a3f2412b704cfd4eb34c90e2032e3e2d40d3ae2 In the test case, the client raises an exception in the session_new_cb and may not cleanly close the connection. Let's ignore exceptions raised at the server side. Fixes: https://github.com/ruby/openssl/issues/828 https://github.com/ruby/openssl/commit/210ba0334a 
In the test case, the client raises an exception in the session_new_cb
and may not cleanly close the connection. Let's ignore exceptions raised
at the server side.

Fixes: https://github.com/ruby/openssl/issues/828

https://github.com/ruby/openssl/commit/210ba0334a
[ruby/openssl] cipher: make output buffer String independent 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-12-10T14:06:00+00:00 637f019f1f7611ba41f761a1b17e4228661d0a5b OpenSSL::Cipher#update accepts a String as the second argument to be used as the output buffer. The buffer must be directly writable, in other words, it must not be frozen and not a shared string. rb_str_resize() does not make the String independent if the String already has the intended length. Use the rb_str_modify() family instead to check it. Fixes: https://bugs.ruby-lang.org/issues/20937 https://github.com/ruby/openssl/commit/1de3b80a46 
OpenSSL::Cipher#update accepts a String as the second argument to be
used as the output buffer. The buffer must be directly writable, in
other words, it must not be frozen and not a shared string.

rb_str_resize() does not make the String independent if the String
already has the intended length. Use the rb_str_modify() family instead
to check it.

Fixes: https://bugs.ruby-lang.org/issues/20937

https://github.com/ruby/openssl/commit/1de3b80a46
[ruby/openssl] pkcs12: add PKCS12#set_mac 2024-12-21T18:33:03+00:00 Kazuki Yamaguchi k@rhe.jp 2024-07-03T10:40:07+00:00 c79b4354074742ca1cbbb25a4f04bbffeb58407d Add a binding for PKCS12_set_mac() to set MAC parameters and (re-)calculate MAC for the content. This allows generating PKCS #12 with consistent MAC parameters with different OpenSSL versions. OpenSSL 3.0 changed the default hash function used for HMAC and the KDF from SHA-1 to SHA-256. Fixes: https://github.com/ruby/openssl/issues/772 https://github.com/ruby/openssl/commit/f5ed2a74b6 
Add a binding for PKCS12_set_mac() to set MAC parameters and
(re-)calculate MAC for the content.

This allows generating PKCS #12 with consistent MAC parameters with
different OpenSSL versions. OpenSSL 3.0 changed the default hash
function used for HMAC and the KDF from SHA-1 to SHA-256.

Fixes: https://github.com/ruby/openssl/issues/772

https://github.com/ruby/openssl/commit/f5ed2a74b6
[ruby/openssl] ssl: do not clear existing SSL options in SSLContext#set_params 2024-12-07T08:15:08+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T18:01:54+00:00 c9bbf7e3eba9d42983d89b07273f4f31e9ca8d0e Apply SSL options set in DEFAULT_PARAMS without clearing existing options. It currently clears options in order to avoid setting one of the options included in OpenSSL::SSL::OP_ALL unless explicitly specified, namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is no longer necessary. https://github.com/ruby/openssl/commit/77c3db2d65 
Apply SSL options set in DEFAULT_PARAMS without clearing existing
options.

It currently clears options in order to avoid setting one of the
options included in OpenSSL::SSL::OP_ALL unless explicitly specified,
namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that
OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is
no longer necessary.

https://github.com/ruby/openssl/commit/77c3db2d65
[ruby/openssl] ssl: do not enable OpenSSL::SSL::OP_ALL by default 2024-12-07T08:15:08+00:00 Kazuki Yamaguchi k@rhe.jp 2024-06-11T17:29:46+00:00 510c190739b83cfa4fdb56e9d9c0578af25c9c6a Respect the SSL options set by default by SSL_CTX() and by the system-wide OpenSSL configuration file. OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL on top of the default SSL options. Let's stop doing it. OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior to workaround various TLS implementation bugs. Using it is considered usually safe, but is not completely harmless. https://github.com/ruby/openssl/commit/00bec0d905 
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.

OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.

OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.

https://github.com/ruby/openssl/commit/00bec0d905
[ruby/openssl] make configs shareable when frozen 2024-12-07T07:52:02+00:00 HoneyryderChuck cardoso_tiago@hotmail.com 2024-11-25T08:53:16+00:00 5444885726bbb1b75bbc1c7a04a3837efb87b7d0 https://github.com/ruby/openssl/commit/654cb22e21 
https://github.com/ruby/openssl/commit/654cb22e21
[ruby/openssl] make config frozen on initialize 2024-12-07T07:52:01+00:00 HoneyryderChuck cardoso_tiago@hotmail.com 2024-11-25T08:51:37+00:00 2a006fe54b2596f67db8f1ef8697f12e61789b37 https://github.com/ruby/openssl/commit/50599513cf 
https://github.com/ruby/openssl/commit/50599513cf
[ruby/openssl] ssl: handle callback exceptions in SSLSocket#sysread and #syswrite 2024-12-07T07:37:32+00:00 Kazuki Yamaguchi k@rhe.jp 2024-11-24T05:45:12+00:00 06fc13a15c72ecf77a638b45ea325d945bc7cc6d Check the ID_callback_state ivar after SSL_read() or SSL_write() returns, similar to what ossl_start_ssl() does. Previously, callbacks that can raise a Ruby exception were only called from ossl_start_ssl(). This has changed in OpenSSL 1.1.1. Particularly, the session_new_cb will be called whenever a client receives a NewSessionTicket message, which can happen at any time during a TLS 1.3 connection. https://github.com/ruby/openssl/commit/aac9ce1304 
Check the ID_callback_state ivar after SSL_read() or SSL_write()
returns, similar to what ossl_start_ssl() does.

Previously, callbacks that can raise a Ruby exception were only called
from ossl_start_ssl(). This has changed in OpenSSL 1.1.1. Particularly,
the session_new_cb will be called whenever a client receives a
NewSessionTicket message, which can happen at any time during a TLS 1.3
connection.

https://github.com/ruby/openssl/commit/aac9ce1304
[ruby/openssl] Support signing CRLs using Ed25519 2024-11-22T17:26:03+00:00 Josh Cooper joshcooper@users.noreply.github.com 2024-10-29T21:18:32+00:00 b4d13fac3dd5420475aa1e14fdad8137da7e3ee0 Allow CRLs to be signed using Ed25519 private keys by passing a nil digest. https://github.com/ruby/openssl/commit/b62375bcde 
Allow CRLs to be signed using Ed25519 private keys by passing a nil digest.

https://github.com/ruby/openssl/commit/b62375bcde