Make "rake debug" protective for a Ruby OpenSSL loading error. #783
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We experienced a FIPS case specific Ruby OpenSSL error in the loading process of Ruby OpenSSL by calling the `ruby -ropenssl` (`require 'openssl'`) built with OpenSSL master branch which includes the commit <openssl/openssl@6d47e81> but doesn't include the commit <openssl/openssl@3c6e114> fixing the issue. The following error happened at `lib/openssl.rb:22` calling the `lib/openssl/ssl.rb` with the OpenSSL commit <14e46600c68ece74970462a60ad20703221747a1> which is between the above 2 commits. ``` $ OPENSSL_CONF=/home/jaruga/.local/openssl-3.4.0-dev-fips-debug-14e46600c6/ssl/openssl_fips.cnf \ bundle exec rake debug ... ruby 3.4.0dev (2024-07-22T08:33:07Z master 82aee1a946) [x86_64-linux] /home/jaruga/var/git/ruby/openssl/lib/openssl/pkey.rb:132:in 'OpenSSL::PKey::DH#initialize': could not parse pkey (OpenSSL::PKey::DHError) from /home/jaruga/var/git/ruby/openssl/lib/openssl/pkey.rb:132:in 'Class#new' from /home/jaruga/var/git/ruby/openssl/lib/openssl/pkey.rb:132:in 'OpenSSL::PKey::DH.new' from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:36:in '<class:SSLContext>' from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:23:in '<module:SSL>' from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:22:in '<module:OpenSSL>' from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:21:in '<top (required)>' from /home/jaruga/var/git/ruby/openssl/lib/openssl.rb:22:in 'Kernel#require_relative' from /home/jaruga/var/git/ruby/openssl/lib/openssl.rb:22:in '<top (required)>' from /home/jaruga/.local/ruby-3.4.0dev-debug-82aee1a946/lib/ruby/3.4.0+0/bundled_gems.rb:71:in 'Kernel.require' from /home/jaruga/.local/ruby-3.4.0dev-debug-82aee1a946/lib/ruby/3.4.0+0/bundled_gems.rb:71:in 'block (2 levels) in Kernel#replace_require' rake aborted! ``` This commit enables the `rake debug` still to print the debugging values in such cases. In this case, the `rake debug` prints only the base provider without fips provider. That was a bug of OpenSSL. ``` $ OPENSSL_CONF=/home/jaruga/.local/openssl-3.4.0-dev-fips-debug-14e46600c6/ssl/openssl_fips.cnf \ bundle exec rake debug ... ruby 3.4.0dev (2024-07-22T08:33:07Z master 82aee1a946) [x86_64-linux] OpenSSL::OPENSSL_VERSION: OpenSSL 3.4.0-dev OpenSSL::OPENSSL_LIBRARY_VERSION: OpenSSL 3.4.0-dev OpenSSL::OPENSSL_VERSION_NUMBER: 30400000 OpenSSL::LIBRESSL_VERSION_NUMBER: undefined FIPS enabled: true Providers: base ```
Member
You're right. Seems good to me! |
Member
Author
|
Thanks for your review! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is to make "rake debug" enhanced, on the way suggested at #780 (comment). I didn't need to take the
rake debugout fromRakefile. Because the ruby code is executed in the child process by theruby %Q(-I./lib -ropenssl.so -ve'#{ruby_code}')in theRakefile.We experienced a FIPS case specific Ruby OpenSSL error in the loading process of Ruby OpenSSL by calling the
ruby -ropenssl(require 'openssl') built with OpenSSL master branch which includes the commit openssl/openssl@6d47e81 but doesn't include the commit openssl/openssl@3c6e114 fixing the issue.The following error happened at
lib/openssl.rb:22calling thelib/openssl/ssl.rbwith the OpenSSL commit<14e46600c68ece74970462a60ad20703221747a1> which is between the above 2 commits.
This commit enables the
rake debugstill to print the debugging values in such cases. In this case, therake debugprints only the base provider without fips provider. That was a bug of OpenSSL.