Improve MiniSSL for users without OpenSSL available #2303
Conversation
For people who did not install from OpenSSL extension, Here https://github.com/puma/puma/blob/91e57f4e173343746e122e8bb850b0244f508484/ext/puma_http11/mini_ssl.c#L12 is false, and they hit SSLError https://github.com/puma/puma/blob/91e57f4e173343746e122e8bb850b0244f508484/ext/puma_http11/mini_ssl.c#L555-L562 Check if the OPENSSL_VERSION is defined to fix this. Co-Authored-By: Matthew Draper <matthew@trebex.net> Co-Authored-By: Samuel Cochran <sj26@sj26.com>
JuanitoFatas
changed the title
|
Thanks. I started working on this, but got distracted. Might it be better to not even load the definition of MiniSSL in minissl.rb if Puma is compiled without SSL support? Same for the ssl methods in Binder and loading of Puma::MiniSSL::ContextBuilder. Because MiniSSL is compiled in puma_http11, some of the 'requires' need their order changed. I wanted to add at least one Actions job with SSL support. Also, I'm not that familiar with the other OpenSSL variants, like libressl. |
|
Skipping minissl entirely would also work, but felt like a bigger change. Absolutely do it, if you think that's best! We were opting for the light touch just to fix this loading problem introduced by the 5 beta for demonstration purposes. |
|
(To prevent future regressions like, perhaps introducing compile options into the build matrix would work? Not sure if it's worthwhile.) |
|
I try to help with SSL issues, and apologies, I never thought about compiling without SSL support. But, it is a valid need, and should probably be tested. The other issue that is somewhat mixed with this is, if one compiles with SSL support, then uses Puma without binding to an SSL connection, can it be setup to not load all the SSL related code, including not loading the OpenSSL system libraries. I kind of stopped when I was trying to see if the code changes could be separated. A long weekend is a good time, so... |
|
I think openssl might be loaded by other aspects of ruby anyway in almost all applications which use puma, we just don't have openssl headers available in production for the bundle to build puma with ssl bindings, so it's probably a pretty uncommon case! We appreciate the attention. Even if this was merged as-is for a fix, and then you considered avoiding minissl entirely for puma without ssl — either way. :-) (We use unix sockets from puma to another layer which handles ssl.) |
Now that I'm being reminded, I think nio4r always loads Ruby OpenSSL. Also, not all the tests that use SSL are properly guarded, so that's more code if we add 'no SSL' to CI. Let me get the code for fixing building/compiling with By chance, can you test it? |
Absolutely! We already have a copy of puma running in pre-production using the patch on this branch. But we'd be happy to test anything you'd like to ship here. I am about to head to bed, but can follow up in the morning [~9am utc+10]. |
|
Sorry for the delay. See PR #2305. If you can try that, it would be appreciated. I haven't added a 'no SSL' build to CI yet. Soon, hopefully tomorrow. I was mistaken about NIO. I believe nio4r 2.5.2 needs OpenSSL for JRuby & Windows, but it doesn't load it. That was my mistake, and it's been corrected in master, so next release it should be fixed. |
|
Closing this in favor of #2305. Thanks everyone! |
Description
SSL constants removed in 3a127f7. And for people who did not install from OpenSSL extension, this change will end up here.
puma/ext/puma_http11/mini_ssl.c
Line 12 in 91e57f4
HAVE_OPENSSL_BIO_His false, then arrived at this code pathpuma/ext/puma_http11/mini_ssl.c
Lines 555 to 562 in 91e57f4
resulted in
SSLError.Check if the
OPENSSL_VERSIONconstant is defined to fix this.Your checklist for this pull request
[changelog skip]the pull request title.[ci skip]to the title of the PR.#issue" to the PR description or my commit messages.