Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support building OpenSSL for Ruby with AWS-LC #833

Open
samuel40791765 opened this issue Dec 26, 2024 · 1 comment
Open

Support building OpenSSL for Ruby with AWS-LC #833

samuel40791765 opened this issue Dec 26, 2024 · 1 comment

Comments

@samuel40791765
Copy link

Hello,

I’m an engineer at AWS working on AWS-LC, AWS’s open-source cryptographic library maintained for AWS and their customers. AWS-LC supports CPU-specific performance optimizations for AWS Graviton 2, AWS Graviton 3, and Intel x86-64 with AVX-512 instructions. We’ve formally verified a subset of AWS-LC’s cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC can be also built in FIPS mode to help consumers meet FIPS 140-3 compliance requirements. To give Ruby users a well-documented and supported way to take advantage of these investments, we would like to upstream build compatibility for AWS-LC into Ruby. We believe that this would provide the best experience for users wishing to build Ruby against AWS-LC. It would also allow users to circumvent maintaining and applying their own patch sets to build Ruby with AWS-LC. Earlier this year, weengaged with the CPython maintainers to successfully address similar needs for our respective users.

We are working on patch sets to integrate Ruby‘s OpenSSL module with AWS-LC. AWS-LC is committed to backwards compatibility and we aim to keep our API stable. Our open source repository has CI jobs (here and here) asserting every change’s compatibility with multiple different open-source projects. We’ve recently added Ruby 3.1 and 3.2 to this test suite and we’re in the midst of incorporating Ruby’s main branch and 3.3. These tests are used to catch compatibility regressions against every change before they’re merged and to resolve potential build issues beforehand when upstream projects make relevant changes. Relevant unit tests from the upstream projects’ are also ran to confirm that the underlying libcrypto & libssl behave as expected. By expanding our regular testing processes to include Ruby, we proactively prevent any unanticipated breaks in the Ruby/AWS-LC build.

The proposed integration supports all features of Ruby’s OpenSSL module, except for the use of DHE cipher suites in libssl. Excluding this, we have confirmed that all relevant unit tests for Ruby’s OpenSSL module perform as expected. If you folks agree that this integration would be beneficial for Ruby and its consumers, I’d be more than happy to put together a PR.
@samuel40791765
Copy link
Author

I initially posted this in the general Ruby forum, but was directed here as the more appropriate communication channel for the Ruby openssl gem 😄.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@samuel40791765