Use OpenSSL 3.x with Ruby 3.1.x

[hsbt]

Related with #1998 (comment)

Ruby 3.1.x already support OpenSSL 3.0. There is no reason why Ruby 3.1 use OpenSSL 1.1.

[eregon]

Agreed, thanks.

[beporter]

One reason to use OpenSSL v1.1.x instead of 3.x is that they deprecated a number of methods in 3.0.x. OpenSSL::Digest::MD4.hexdigest, for example. If you have code that happens to use any of those now-deprecated methods, that code will start failing because of this change.

Summarized here: https://dev.to/wetterkrank/openssldigestdigesterror-when-using-md4-3o0i

Switching to OpenSSL 3.x, you should probably enable the legacy providers as well, if you want to maintain full compatibility with 1.1.x.

The workaround is to manually install and compile OpenSSL 1.1.x first, then use RUBY_CONFIGURE_OPTS="--with-openssl-dir=/INSTALL/PATH/HERE" rbenv install to keep using 1.1.x.

[eregon]

There was some discussion about this in #2111
The bottom line is longer-term openssl 1.1.x won't be available, and is already not available on recent distros.
So anyway such code needs to be adapted to work on openssl 3.

Similarly about legacy providers, that won't work with a system-installed openssl 3, again Ruby code cannot rely on that if it wants to work on modern distros/Ruby/etc.

[eregon]

The workaround is to manually install and compile OpenSSL 1.1.x first, then use RUBY_CONFIGURE_OPTS="--with-openssl-dir=/INSTALL/PATH/HERE" rbenv install to keep using 1.1.x.

And indeed that's the intended workaround when the calling code cannot be changed yet.

[beporter]

Agreed on all points. I was posting mainly to give people that landed here via Google a path forward.

This was (technically) a breaking change.

[mislav]

@beporter Sorry that you've been bitten by a breaking change, and thanks for reporting here and blogging about your findings. 🙇