Allow Puma to compile when built without SSL, load SSL files on demand

[MSP-Greg]

Description

Currently, Puma will not function if built without SSL support. Also, SSL related files are all loaded regardless, so make them load-on-demand.

Changes

1. Allows compiling without OpenSSL & runs 'no ssl' CI on a few jobs
2. SSL test (now Puma::HAS_SSL or Puma.ssl?) relies on classes that only exist in the compiled extension if properly compiled with OpenSSL.
3. If compiled with 'no ssl', don't load ssl related files in Puma. Also, don't load Ruby MRI OpenSSL. JRuby currently requires it for some reason. (?)

Commits (need to be squashed for bisect)

1. 'Adjust code for compiling without SSL (MRI & JRuby), add ssl detection' - Removes MiniSSL.check, replace with Puma::HAS_SSL or Puma.ssl?

2. 'Adjust test files for 'no ssl' compile'

3. 'Actions - add 'no ssl' workflow, puma-no-ssl.yml' - three jobs: Ubuntu-20.04 with 2.7 & JRuby, and Windows 2.7

4. 'Update History.md'

5. 'README.md - add 'SSL Connection Support' section'

Your checklist for this pull request

• I have reviewed the guidelines for contributing to this repository.
• I have added an entry to History.md if this PR fixes a bug or adds a feature. If it doesn't need an entry to HISTORY.md, I have added [changelog skip] the pull request title.
• I have added appropriate tests if this PR fixes a bug or adds a feature.
• My pull request is 100 lines added/removed or less so that it can be easily reviewed.
• If this PR doesn't need tests (docs change), I added [ci skip] to the title of the PR.
• If this closes any issues, I have added "Closes #issue" to the PR description or my commit messages.
• I have updated the documentation accordingly.
• All new and existing tests passed, including Rubocop.

[sj26]

Thanks for the quick work on this! Sorry it took me a while to test it, complications. But I just gave it a go and it works great. 👍

[eregon]

This should be a better check, silently skipping tests if e.g. there is a typo, seems bad.

[MSP-Greg]

That check is to not load minissl.rb if MRI Puma wasn't compiled with SSL support. Similar checks for some of the tests also. The silent skips will only happen when Puma isn't compiled with SSL support. I'm working with it in my fork (adding a 'none SSL' job) and locally. JFYI, working with JRuby head locally.

[nateberkopec]

I think we can leave a comment (or add a new method to Puma detect) to explain.

[MSP-Greg]

Ok. Let me think about that (MRI/JRuby/TruffleRuby). Puma detect is good, but it overlaps with Puma::MiniSSL.check. Maybe lose Puma::MiniSSL.check and have a method in detect that returns a boolean rather than the damn error in Puma::MiniSSL.check. Someone using it with UNIXSockets may chose to compile without OpenSSL... Sorry, rant off.

[nateberkopec]

Hmm, how do we want to do CI for this? Just trigger it with an environment variable?

[MSP-Greg]

Hmm, how do we want to do CI for this? Just trigger it with an environment variable?

I was looking at that this week, and didn't finish. extconf.rb works with MRI, but I'm not sure about other platforms?

[nateberkopec]

Well MRI is the only platform we're worried about supporting w/o SSL, though, right?

[MSP-Greg]

Well MRI is the only platform we're worried about supporting w/o SSL, though, right?

No, I need to check it with JRuby, I'll also check against TruffleRuby, but I think it should behave similar to MRI... (?)

[MSP-Greg]

I believe I've got JRuby compiling without OpenSSL (simple changes).

At present, runtime SSL detection is kind of odd (putting that nicely). I hate using rescue to do so.

I think a better way is checking what classes exist in puma_http11.

Question - Since puma_http11 is always used, maybe move the require to Puma, and add the runtime OpenSSL detection in puma/detect.rb so we have a constant/method to check?

A goal is to not need to require Ruby's OpenSSL if Puma is compiled without OpenSSL...

[nateberkopec]

Question - Since puma_http11 is always used, maybe move the require to Puma, and add the runtime OpenSSL detection in puma/detect.rb so we have a constant/method to check?

A goal is to not need to require Ruby's OpenSSL if Puma is compiled without OpenSSL...

Makes sense!

[MSP-Greg]

Two items:

1. There are three classes (I think) that rescue MiniSSL or OpenSSL errors (Client, Reactor, & Server). If one compiles without SSL, these constants are not defined. I'm thinking of setting the rescue errors to LocalJumpError, which is defined, and will never be raised?

2. I'll separate lib and test changes, but for this PR to bisect, it needs to be squashed.

[MSP-Greg]

This is done, updated notes, etc.

JRuby & TruffleRuby still intermittently lock up in testing. The last pair of jobs in my fork both passed, using JRuby for the 'no ssl' workflow (not jruby-head).

[MSP-Greg]

I just pushed an update. Before, the code to determine whether Puma was built with ssl in detect.rb was:

HAS_SSL = const_defined?(:MiniSSL, false)

Updated code is:

# at present, MiniSSL::Engine is only defined in extension code, not in minissl.rb
HAS_SSL = const_defined?(:MiniSSL, false) && MiniSSL.const_defined?(:Engine, false)

Puma::MiniSSL is defined in minissl.rb (using module MiniSSL). So if minissl.rb was loaded first, the detection would fail. Currently, Puma::MiniSSL::Engine is only defined in 'extension' code, so it's not affected by loading minissl.rb...

[nateberkopec]

What's the purpose of moving these from the top of the file?

[MSP-Greg]

We could move it above and use Puma::HAS_SSL. I put it here for the namespace.

This was an issue I was about to post a message about.

Currently, if Puma successfully compiles with OpenSSL, it loads all the files. Should we make so that it only loads the files if one binds to an ssl socket?

That is trickier...

[nateberkopec]

Did you change anything in here other than 80-char line breaks?

[MSP-Greg]

I added a sentence to Quick Start, which maybe should be expanded on?

"Puma expects to find OpenSSL development files when installed/compiled. If you want to compile it without ssl support, set ENV['DISABLE_SSL']."

I can pull this and do a separate PR.

[MSP-Greg]

I removed to format changes and just added an ssl section.

[nateberkopec]

It looks like for JRuby, for this to work, you need to have DISABLE_SSL set, but for MRI, you don't. Is that true?

[MSP-Greg]

Re MRI, I know how to uninstall 'openssl dev', and it works locally.

I don't know how to uninstall Java's equivalent of 'openssl dev'. For MRI systems, it's a separate install, I don't think that's the case with Java?

EDIT:

Sorry I wasn't clear.

for JRuby, for this to work, you need to have DISABLE_SSL set

Correct.

for MRI, you don't

If you don't have 'openssl dev' installed, there is no need for ENV['DISABLE_SSL']. If it is installed, you need to set the ENV variable in shell to disable compiling with OpenSSL.

[MSP-Greg]

Interesting. The last push (which passed CI here) here also ran in my fork. The only failure was on
ubuntu-18.04 truffleruby-head, see:

https://github.com/MSP-Greg/puma/runs/1109525323?check_suite_focus=true#step:7:599

Note that the test suite passed, but it just barely timed out, so it shows as a failure. First time I've seen that, but maybe extend the test step's timeout to 12? Hate to do that...

[MSP-Greg]

I noticed that test_puma_server_ssl.rb would not run as a single test file:

rake test TESTOPTS=--verbose TEST=test/test_puma_server_ssl.rb

Fixed.

[MSP-Greg]

Removed Actions TruffleRuby RuboCop commit

[nateberkopec]

I feel like this is a little unclear. If you don't bind Puma to SSL, why should you need to use DISABLE_SSL?

As written, this makes it sound like anyone using Puma w/o SSL must set DISABLE_SSL.

[MSP-Greg]

If you don't bind Puma to SSL, why should you need to use DISABLE_SSL?

You don't have to, but 'If the system has OpenSSL development files', it will compile the SSL functions into puma_http11.so/jar and will load the OpenSSL libraries/dlls when using MRI. It also loads Ruby OpenSSL on MRI.
I believe using DISABLE_SSL stops all of that.

this makes it sound like anyone using Puma w/o SSL must set DISABLE_SSL.

Didn't mean to imply that. Maybe a rephrasing is in order. I meant to make it clear that it's optional. But, I didn't say anything about benefits...

BTW, thanks for reviewing.

[nateberkopec]

Yeah I just ended up removing it. I think it's too confusing. Good feature to have but not one that needs explaining right in README.md.

Thanks so much for your work on the test suite over the last 2 weeks Greg, it's so much better now.