Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for OpenSSL 3 #106

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

ClearlyClaire
Copy link

Starting form OpenSSL 3, PKey aren't mutable anymore, so we have to build them instead of separately setting private_key and public_key.

@donv
Copy link

donv commented Sep 15, 2022

Hi!

Any response on getting this merged?

@MBM1607
Copy link

MBM1607 commented Nov 2, 2022

lgtm, @ClearlyClaire any response from @zaru on getting this merged?

@collimarco
Copy link
Contributor

+1 for this, it would be useful to have this update merged (and most importantly having this merged before support for previous openssl versions is dropped...)

@collimarco
Copy link
Contributor

I am looking at the code line by line and in general seems good to me. However I have some doubts about the use of OpenSSL::ASN1::Sequence in VapidKey#to_pem and VapidKey#set_keys! , because it seems very low-level. I wonder if there's a better alternative.

For example here's another implementation (less code, high-level, widely used in production) of VapidKey#to_pem:
pushpad/web-push@20f40d9#diff-e8e36e8a5282b2fbf5503e699e222f3d5413c86cdbb94ecdd13148ea0c59e5f5

I wonder if we can keep something like that in OpenSSL 3 - I would feel more confident.

@collimarco
Copy link
Contributor

Are these changes necessary at all?

Please try to use this https://github.com/pushpad/web-push (v2.0.0) and simply update the openssl version in the .gemspec to v3:

spec.add_dependency 'openssl', '~> 3.0'

Then run bundle update and bundle exec rspec... all tests are passing!

Maybe is it because the openssl gem v3 is still using the "OpenSSL library v1.1" on my machine? Or gem v3 always uses the C library v3?

@collimarco
Copy link
Contributor

Ok, the gem version (e.g. v3) can be different from the underlying C library.

For example openssl gem v3 is still compatible with C library v1.1.

The breaking change seems related to updating the underlying C library to v3, not the gem, which can be updated to v3.

For the breaking changes caused by the C library, it seems that the Ruby core team is working on some workarounds at the gem level:

ruby/openssl#480

Maybe that will make all these changes to this gem unnecessary (???)

@ClearlyClaire
Copy link
Author

I am looking at the code line by line and in general seems good to me. However I have some doubts about the use of OpenSSL::ASN1::Sequence in VapidKey#to_pem and VapidKey#set_keys! , because it seems very low-level. I wonder if there's a better alternative.

For example here's another implementation (less code, high-level, widely used in production) of VapidKey#to_pem: pushpad/web-push@20f40d9#diff-e8e36e8a5282b2fbf5503e699e222f3d5413c86cdbb94ecdd13148ea0c59e5f5

I wonder if we can keep something like that in OpenSSL 3 - I would feel more confident.

Good catch. The result is the same and it works on OpenSSL 3. Pushed the change.

@collimarco
Copy link
Contributor

@ClearlyClaire Great! I wonder if it's possible to use a similar, high-level approach also for set_keys!

@alecslupu
Copy link

@collimarco, We have switched to web-push, version 2.1.0 and the error still persists.
Is there any chance this fix could be applied in a 2.1.1 version ?

https://github.com/decidim/decidim/actions/runs/3648589265/jobs/6162187603

image

@collimarco
Copy link
Contributor

@alecslupu the Pushpad fork already supports openssl v3 (the ruby gem), but still uses openssl v1.1 (the C library). I also want to add support for OpenSSL v3 (C library) soon, but at the moment the official Ruby docker images still use C library v1.1, so we are ok with that.

My main doubt with the code in this pull request is if we really need to go low-level (e.g. using OpenSSL::ASN1::Sequence) or if there is any other simpler solution.

@alecslupu
Copy link

I totally understand the concern. I can confirm that the patch proposed in this PR, works okay for apps using OpenSSL v3 (C library).

I can confirm that Pushpad version is working fine with OpenSSL 3 gem having OpenSSL v1.1 (the C library), yet it fails when used with V3 C library.

@xfalcox
Copy link

xfalcox commented Dec 13, 2022

@collimarco are you considering merging this in your fork? That would be a reason, at least for me, to move to it.

xfalcox added a commit to xfalcox/web-push that referenced this pull request Dec 26, 2022
This is the same PR sent to the original and adjusted for this fork

See zaru/webpush#106

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
@collimarco
Copy link
Contributor

I have just released web-push v3.0 which is compatible with both OpenSSL v1.1 and OpenSSL v3 🎉
https://github.com/pushpad/web-push

Note: in order to use that gem you need to use gem 'web-push' and rename Webpush to WebPush.

sojan-official added a commit to chatwoot/chatwoot that referenced this pull request Feb 3, 2023
- The previous gem, `webpush` was last updated a while ago. Also, with the recent ruby upgrade, we needed a fix for zaru/webpush#106. Hence switching to the `web-push` gem where the issues are fixed.
@Sjors
Copy link

Sjors commented Feb 19, 2023

I replaced the webpush gem with web-push for ForkMonitor (changeWebpush to WebPush in the code) and it no longer throws OpenSSL::PKey::PKeyError when trying to send a push message. Didn't look at the code changes though.

manefz
manefz approved these changes Feb 23, 2023
@timokleemann
Copy link

I can also confirm that renaming the gem from webpush to web-push fixes the OpenSSL::PKey::PKeyError (pkeys are immutable on OpenSSL 3.0) that bugged me all day. Thanks for the fix!

SixiS added a commit to hornet-network/rpush that referenced this pull request Jul 25, 2024
Move to web-push gem to fix OpenSSL 3.0 error. zaru/webpush#106
Fix various failing tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants