Skip to content

re-enable ENGINE support for 3.x #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Conversation

grawity
Copy link

@grawity grawity commented Mar 21, 2025

So far the entire experience with providers has been... not great, to put it mildly. Therefore I suggest re-enabling the OpenSSL::Engine support in ruby as it is merely deprecated but still works, and keeping it until upstream OpenSSL removes the API outright.

@rhenium
Copy link
Member

rhenium commented Mar 21, 2025

Engine was removed for OpenSSL 3.0 in #481. IIRC, I did this because the existing tests were broken with OpenSSL master at that time, and since the Engine API was not just deprecated but also required significant changes on the side of every Engine implementation to adapt to the other breaking changes between OpenSSL 1.1.x and 3.x, it seemed unlikely that it would still be used.

I'm open to re-enabling Engine if it can be helpful. We don't have automated tests using a third-party OpenSSL engine or provider, so the test coverage is very limited. Have you tested this with an engine? Did you have any other issues?

The failure in test_openssl_engine_by_id_string is relevant. I think the assertion can be relaxed for OpenSSL 3.x:

-      assert_equal(1, OpenSSL::Engine.engines.size - orig.size)
+      assert_operator(OpenSSL::Engine.engines.size, :>, orig.size)

@grawity
Copy link
Author

grawity commented Mar 21, 2025

It did seem to work (I was able to load an engine key), although I'll re-check to be sure. I submitted this PR mainly as a "request for comments" without a careful look, as I noticed that the openssl CLI tool was still accepting -engine even in my openssl version 3.4 and assumed that the same old code would work in ruby as well.

@grawity grawity closed this Mar 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants