Skip to content

ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store #950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 6, 2025
Merged

ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store #950

merged 1 commit into from
Oct 6, 2025
+0 −1

Conversation

@rhenium
Copy link
Member

@rhenium rhenium commented Oct 5, 2025

With OpenSSL 3.6.0, it causes nearly every certificate verification to fail with the message certificate verify failed (unable to get certificate CRL) because the CRLs are typically unavailable in the default store used by OpenSSL::SSL::SSLContext#set_params.

OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be set to enable CRL checking.

In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page and may be fixed in a future OpenSSL 3.6.x release, but this flag is not needed and should not be set by default.

Fixes #949

@rhenium
ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store
e8481cd 
With OpenSSL 3.6.0, it causes nearly every certificate verification to
fail with the message "certificate verify failed (unable to get
certificate CRL)" because the CRLs are typically unavailable in the
default store used by OpenSSL::SSL::SSLContext#set_params.

OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL
checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag
alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be
set to enable CRL checking.

In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies
OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page
and may be fixed in a future OpenSSL 3.6.x release, but this flag is not
needed and should not be set by default.

Fixes ruby#949
@junaruga
Copy link
Member

junaruga commented Oct 5, 2025

Thank you for the PR!

Seeing the master branch commits, CI passed at my commit fcf2889, which added OpenSSL 3.6.0. Then I see the CI failed at the merge commit 7f4886b. It seems that this PR fixes the failures on the CI. Do you know why the failures didn't happen at the commit fcf2889?

https://github.com/ruby/openssl/commits/master/

@rhenium
Copy link
Member Author

rhenium commented Oct 5, 2025

It's an issue in https://github.com/ruby/test-unit-ruby-core with Ruby < 3.3, which was released to rubygems.org just before I pushed the merge button.

This PR is for maint-3.1 and doesn't use the gem yet.

@rhenium rhenium merged commit 06592e4 into ruby:maint-3.1 Oct 6, 2025
47 of 56 checks passed
@rhenium rhenium mentioned this pull request Oct 6, 2025
Closed
@junaruga
Copy link
Member

junaruga commented Oct 6, 2025

It's an issue in https://github.com/ruby/test-unit-ruby-core with Ruby < 3.3, which was released to rubygems.org just before I pushed the merge button.

This PR is for maint-3.1 and doesn't use the gem yet.

Ah, all right. I misunderstood this PR was for the master branch.

The test-unit-ruby-core 1.0.8 caused the failures.
https://github.com/ruby/openssl/actions/runs/18215689022/job/51864349455#step:5:100

But today test-unit-ruby-core 1.0.9 was released, and I see the CI passed again at the commit 64f4aae.

https://rubygems.org/gems/test-unit-ruby-core

@htrungngx
Copy link

htrungngx commented Oct 6, 2025

This will nerver finish because some 20.04 runners are still in-use

@junaruga
Copy link
Member

junaruga commented Oct 6, 2025
edited
Loading

This will nerver finish because some 20.04 runners are still in-use

I think we understand the situation. We dropped Ubuntu 20.04 image on the master branch in the past by the commit fe4319c. But we haven't applied the change to the maint-3.1 branch.

@jbourassa
Copy link

jbourassa commented Oct 6, 2025
edited
Loading

Thanks for this fix. Going to paste the exact error message here so that folks Googling can find this fix:

certificate verify failed (unable to get certificate CRL) (OpenSSL::SSL::SSLError)

@lawrencepit lawrencepit mentioned this pull request Oct 29, 2025
Closed
sorah added a commit to ruby-no-kai/sponsor-app that referenced this pull request Nov 15, 2025
@sorah
https://github.com/ruby/openssl/pull/950
1062f98
sorah added a commit to ruby-no-kai/sponsor-app that referenced this pull request Nov 15, 2025
@sorah
https://github.com/ruby/openssl/pull/950
7bd9348
havenwood added a commit to havenwood/hedra that referenced this pull request Nov 19, 2025
@havenwood
Add explicit dep to support OpenSSL 3.6
6406aaf 
Fixes "certificate verify failed (unable to get certificate CRL)"
error with OpenSSL 3.6.0 by adding an explicit dep on the minimum patch version of the openssl default gem. ruby/openssl#950
@havenwood havenwood mentioned this pull request Nov 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rhenium @junaruga @htrungngx @jbourassa