-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: List OpenSSL providers by openssl CLI in FIPS cases. #780
Conversation
Add the step to list OpenSSL providers available on OpenSSL 3.0 or later versions to check if the base and fips providers are loaded in the FIPS cases. We have a logic to print the OpenSSL providers in the Rake test and test_fips tasks calling the debug task. https://github.com/ruby/openssl/blob/16aa2b2f0c10d9d2b6ccf09628d248ba9d2f3f4e/Rakefile#L72 However, if the fips provider is not loaded, the Ruby OpenSSL aborts before printing the OpenSSL providers in the Rake debug task. https://github.com/ruby/openssl/actions/runs/10077703798/job/27860837398#step:13:35 This commit enables CI to print the loaded OpenSSL providers in such case. Added the `'-Wl,-rpath,$(LIBRPATH)'` to call the openssl cli without setting `LD_LIBRARY_PATH`. See https://github.com/ruby/openssl/blob/master/CONTRIBUTING.md#with-different-versions-of-openssl for details.
ab85d0f
to
448b203
Compare
This seems redundant. We print the loaded providers in the Rake task "debug", which is run as part of |
I am mentioning your point at my first comment. Yes, it is redundant. However, my point for this PR is about if we want to list the providers in the case the |
I overlooked this part. Perhaps we want to extract the "debug" task out of Rakefile, and print these constants with only I don't think having duplicate output in every CI run just in case OpenSSL breaks in a similar way will be useful (which mostly likely require a bugfix in openssl/openssl, not in ruby/openssl). |
I tested your approach with only
Yes, I would agree with your option. |
I sent the PR #783. |
This PR is to add the step to list OpenSSL providers in FIPS cases.
While we are calling the logic to list the OpenSSL providers in the
rake test
orrake test_fips
. In the case where the fips provider is not loaded, the Ruby OpenSSL aborts before printing the providers. This PR enables the CI to print the providers such cases.I was able to find the fips provider was not loaded with the openssl-head fips case by this commit.
https://github.com/junaruga/ruby-openssl/actions/runs/10078885746/job/27864878836#step:7:1
Below is the commit message.
Add the step to list OpenSSL providers available on OpenSSL 3.0 or later versions to check if the base and fips providers are loaded in the FIPS cases.
We have a logic to print the OpenSSL providers in the Rake test and test_fips tasks calling the debug task.
openssl/Rakefile
Line 72 in 16aa2b2
However, if the fips provider is not loaded, the Ruby OpenSSL aborts before printing the OpenSSL providers in the Rake debug task. https://github.com/ruby/openssl/actions/runs/10077703798/job/27860837398#step:13:35
This commit enables CI to print the loaded OpenSSL providers in such case.
Added the
'-Wl,-rpath,$(LIBRPATH)'
to call the openssl cli without settingLD_LIBRARY_PATH
.See https://github.com/ruby/openssl/blob/master/CONTRIBUTING.md#with-different-versions-of-openssl for details.