1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
Version 2.0.0
=============
This is the first release of openssl gem, formerly a standard library of Ruby,
ext/openssl. This is the successor of the version included in Ruby 2.3.
Compatibility notes
-------------------
* Support for OpenSSL version 0.9.6 and 0.9.7 is completely removed. openssl gem
still works with OpenSSL 0.9.8, but users are strongly encouraged to upgrade
to at least 1.0.1, as OpenSSL < 1.0.1 will not receive any security fixes from
the OpenSSL development team.
Supported platforms
-------------------
* OpenSSL 1.0.0, 1.0.1, 1.0.2, 1.1.0
* OpenSSL < 0.9.8 is no longer supported.
* LibreSSL 2.3, 2.4, 2.5
* Ruby 2.3, 2.4
Notable changes
---------------
* Add support for OpenSSL 1.1.0. [[Feature #12324]](https://bugs.ruby-lang.org/issues/12324)
* Add support for LibreSSL
* OpenSSL::Cipher
- OpenSSL::Cipher#key= and #iv= reject too long inputs. They used to truncate
silently. [[Bug #12561]](https://bugs.ruby-lang.org/issues/12561)
- OpenSSL::Cipher#iv_len= is added. It allows changing IV (nonce) length if
using AEAD ciphers.
[[Bug #8667]](https://bugs.ruby-lang.org/issues/8667),
[[Bug #10420]](https://bugs.ruby-lang.org/issues/10420),
[[GH ruby/ruby#569]](https://github.com/ruby/ruby/pull/569),
[[GH ruby/openssl#58]](https://github.com/ruby/openssl/pull/58)
- OpenSSL::Cipher#auth_tag_len= is added. This sets the authentication tag
length to be generated by an AEAD cipher.
* OpenSSL::OCSP
- Accessor methods are added to OpenSSL::OCSP::CertificateId.
[[Feature #7181]](https://bugs.ruby-lang.org/issues/7181)
- OpenSSL::OCSP::Request and BasicResponse can be signed with non-SHA-1 hash
algorithm. [[Feature #11552]](https://bugs.ruby-lang.org/issues/11552)
- OpenSSL::OCSP::CertificateId and BasicResponse can be encoded into DER.
- A new class OpenSSL::OCSP::SingleResponse is added for convenience.
- OpenSSL::OCSP::BasicResponse#add_status accepts absolute times. They used to
accept only relative seconds from the current time.
* OpenSSL::PKey
- OpenSSL::PKey::EC follows the general PKey interface.
[[Bug #6567]](https://bugs.ruby-lang.org/issues/6567)
- OpenSSL::PKey.read raises OpenSSL::PKey::PKeyError instead of ArgumentError
for consistency with OpenSSL::PKey::{DH,DSA,RSA,EC}#new.
[[Bug #11774]](https://bugs.ruby-lang.org/issues/11774),
[[GH ruby/openssl#55]](https://github.com/ruby/openssl/pull/55)
- OpenSSL::PKey::EC::Group retrieved by OpenSSL::PKey::EC#group is no longer
linked with the EC key. Modifications to the EC::Group have no effect on the
key. [[GH ruby/openssl#71]](https://github.com/ruby/openssl/pull/71)
- OpenSSL::PKey::EC::Point#to_bn allows specifying the point conversion form
by the optional argument.
* OpenSSL::SSL
- OpenSSL::SSL::SSLSocket#tmp_key is added. A client can call it after the
connection is established to retrieve the ephemeral key.
[[GH ruby/ruby#1318]](https://github.com/ruby/ruby/pull/1318)
- The automatic ephemeral ECDH curve selection is enabled by default when
built with OpenSSL >= 1.0.2 or LibreSSL.
- OpenSSL::SSL::SSLContext#security_level= is added. You can set the "security
level" of the SSL context. This is effective only when built with OpenSSL
1.1.0.
- A new option 'verify_hostname' is added to OpenSSL::SSL::SSLContext. When it
is enabled, and the SNI hostname is also set, the hostname verification on
the server certificate is automatically performed. It is now enabled by
OpenSSL::SSL::Context#set_params.
[[GH ruby/openssl#60]](https://github.com/ruby/openssl/pull/60)
Removals
--------
* OpenSSL::Engine
- OpenSSL::Engine.cleanup does nothing when built with OpenSSL 1.1.0.
* OpenSSL::SSL
- OpenSSL::PKey::DH::DEFAULT_512 is removed. Hence servers no longer use
512-bit DH group by default. It is considered too weak nowadays.
[[Bug #11968]](https://bugs.ruby-lang.org/issues/11968),
[[GH ruby/ruby#1196]](https://github.com/ruby/ruby/pull/1196)
- RC4 cipher suites are removed from OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
RC4 is now considered to be weak.
[[GH ruby/openssl#50]](https://github.com/ruby/openssl/pull/50)
Deprecations
------------
* OpenSSL::PKey
- OpenSSL::PKey::RSA#n=, #e=, #d=, #p=, #q=, #dmp1=, #dmq1=, #iqmp=,
OpenSSL::PKey::DSA#p=, #q=, #g=, #priv_key=, #pub_key=,
OpenSSL::PKey::DH#p=, #g=, #priv_key= and #pub_key= are deprecated. They are
disabled when built with OpenSSL 1.1.0, due to its API change. Instead,
OpenSSL::PKey::RSA#set_key, #set_factors, #set_crt_params,
OpenSSL::PKey::DSA#set_pqg, #set_key, OpenSSL::PKey::DH#set_pqg and #set_key
are added.
* OpenSSL::Random
- OpenSSL::Random.pseudo_bytes is deprecated, and not defined when built with
OpenSSL 1.1.0. Use OpenSSL::Random.random_bytes instead.
* OpenSSL::SSL
- OpenSSL::SSL::SSLContext#tmp_ecdh_callback is deprecated, as the underlying
API SSL_CTX_set_tmp_ecdh_callback() is removed in OpenSSL 1.1.0. It was
first added in Ruby 2.3.0. To specify the curve to be used in ephemeral
ECDH, use OpenSSL::SSL::SSLContext#ecdh_curves=. The automatic curve
selection is also now enabled by default when built with a capable OpenSSL.
|
