Windows mswin build - failures on OpenSSL::TestSSL#test_add_certificate_chain_file*

[MSP-Greg]

Testing with reasonably new mswin build locally, the only errors seem to be the following, both in in test/test_ssl.rb:

OpenSSL::TestSSL#test_add_certificate_chain_file
OpenSSL::TestSSL#test_add_certificate_chain_file_multiple_certs

both generate an error of:
OPENSSL_Uplink(00007FF994925B70,08): no OPENSSL_Applink

Does the following have any helpful info?
https://github.com/openssl/openssl/blob/4746f25ac62e5bbdc07eedcec9c9a27547577141/doc/man3/OPENSSL_Applink.pod

[ioquatix]

Thanks. That seems odd. Can we get this in CI?

[MSP-Greg]

Can we get this in CI?

Working on it. Soon. You'll be the first to use it.

[MSP-Greg]

I verified that the error is being raised from the call to:

OpenSSL::SSL::SSLContext#add_certificate_chain_file

That's about as far as I can take the issue. I can build & test locally, so happy to try any ideas...

EDIT: This issue may be caused by the particular OpenSSL build used on Actions, as the ruby/ruby AppVeyor mswin build is passing. I'll see if I can check into it. I may build the package myself and see if it works.

[MSP-Greg]

@hsbt

Re the issue with 2.2.0 and mswin (mingw is ok), the problem (as mentioned above) is the method:

OpenSSL::SSL::SSLContext#add_certificate_chain_file

For the time being, this needs to not be added in mswin builds.

The method calls:

SSL_CTX_use_certificate_chain_file

Which in mswin/msvc builds, looks for a an export (OPENSSL_Applink) from the running exe file (ruby.exe). Note that the export is only needed for mswin builds, not mingw or any other OS.

I'm not strong c type, but I'll see if I can get a response from openssl/openssl about options for this issue. I've verified what I can with both the OpenSSL package used for building on Actions and a locally built one.

[rhenium]

We had the same issue before in #128.

OpenSSL has the UPLINK interface in order to support a weird environment where two different versions of MSVC are mixed in runtime - a FILE provided by us might not be usable by fread() function OpenSSL has linked with.

(Although I didn't test it locally,) I think the error is coming from PEM_read_PrivateKey() and PEM_read_X509(), where we give a FILE * to check the consistency between the certificate and the private key.

I suspect the cleanest the way to fix this is to implement #288 separately, and replace SSLContext#add_certificate_chain_file with something like

def add_certificate_chain_file(cert, key)
  ee, *ca = OpenSSL::X509::Certificate.load_blaba(cert)
  add_certificate(ee, OpenSSL::PKey.read(File.read(key)), ca)
end

[hsbt]

@rhenium Thanks, I got it.

@MSP-Greg I create the revert pull-request about this failure. #320

[MSP-Greg]

@rhenium

Glad to see you're still around. OpenSSL is complicated, and I'm very c challenged.

Although I didn't test it locally

If it's helpful, I've got master builds done three times a day, the release is:
https://github.com/MSP-Greg/ruby-loco/releases/tag/ruby-master

The builds are self-contained, manifested dll's, etc...

mswin:
https://github.com/MSP-Greg/ruby-loco/releases/download/ruby-master/ruby-mswin.7z

mingw:
https://github.com/MSP-Greg/ruby-loco/releases/download/ruby-master/ruby-mingw.7z

EDIT: Re the mswin build, the msvc OpenSSL version that its building with expects

OpenSSL::X509::DEFAULT_CERT_FILE
C:\Program Files\Common Files\SSL/cert.pem

OpenSSL::X509::DEFAULT_CERT_DIR
C:\Program Files\Common Files\SSL/certs

[MSP-Greg]

Resolved...