Skip to content

Backport OpenSSL 3.6.0 compatibility fix for Ruby 3.2#14797

Merged
hsbt merged 1 commit intoruby:ruby_3_2from
Bo98:openssl-fix-ruby-3.2
Oct 9, 2025
Merged

Backport OpenSSL 3.6.0 compatibility fix for Ruby 3.2#14797
hsbt merged 1 commit intoruby:ruby_3_2from
Bo98:openssl-fix-ruby-3.2

Conversation

@Bo98
Copy link
Contributor

@Bo98 Bo98 commented Oct 9, 2025

Cherry-picks 7863389

[Backport #21631]

@rhenium @Bo98
[ruby/openssl] ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from t…
4b7bddb 
…he default store

With OpenSSL 3.6.0, it causes nearly every certificate verification to
fail with the message "certificate verify failed (unable to get
certificate CRL)" because the CRLs are typically unavailable in the
default store used by OpenSSL::SSL::SSLContext#set_params.

OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL
checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag
alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be
set to enable CRL checking.

In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies
OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page
and may be fixed in a future OpenSSL 3.6.x release, but this flag is not
needed and should not be set by default.

Fixes ruby/openssl#949

ruby/openssl@e8481cd687
@hsbt
Copy link
Member

hsbt commented Oct 9, 2025

Thanks!

@hsbt hsbt merged commit c38243e into ruby:ruby_3_2 Oct 9, 2025
74 checks passed
@Bo98 Bo98 deleted the openssl-fix-ruby-3.2 branch October 9, 2025 05:00
@hsbt hsbt added the Backport label Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hsbt hsbt hsbt approved these changes

Assignees

No one assigned

Labels

Backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Bo98 @hsbt @rhenium