Thanks to visit codestin.com
Credit goes to github.com

Skip to content

config: support .include directive #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 17, 2020
Merged

config: support .include directive #216

merged 1 commit into from
Feb 17, 2020

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Aug 16, 2018

OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.

As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.

Reference: #208
Cc: @voxik

@rhenium rhenium changed the base branch from master to maint-2.0 August 16, 2018 12:47
@voxik
Copy link

voxik commented Aug 27, 2018

I just applied this patch to the Fedora package and the test suite passes now. Thx for the fix.

@voxik
Copy link

voxik commented Nov 15, 2018

Any chance to have this included in Ruby 2.6? Thx.

@voxik
Copy link

voxik commented Nov 15, 2018

Please note that the ".include" directive is already in use on Fedora 29.

@voxik
Copy link

voxik commented Nov 15, 2018 

$ cat /etc/pki/tls/openssl.cnf | grep include
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
.include /etc/crypto-policies/back-ends/opensslcnf.config
# PKIX recommendations harmless if included in all certificates.
# PKIX recommendations harmless if included in all certificates.
certs		= $dir/cacert.pem	# Certificate chain to include in reply
tsa_name		= yes	# Must the TSA name be included in the reply?
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?

@voxik
Copy link

voxik commented Mar 5, 2019

It seems that OpenSSL changed their mind a bit:

https://bugzilla.redhat.com/show_bug.cgi?id=1668916

Now the man pages states:

There can be optional = character and whitespace characters between .include directive and the path which can be useful in cases the configuration file needs to be loaded by old OpenSSL versions which do not support the .include syntax. They would bail out with error if the = character is not present but with it they just ignore the include.

This is a change I am going to include into Fedora [1, 2]:

$ git diff
diff --git a/ruby-2.6.0-config-support-include-directive.patch b/ruby-2.6.0-config-support-include-directive.patch
index 37a89d6..5b2024b 100644
--- a/ruby-2.6.0-config-support-include-directive.patch
+++ b/ruby-2.6.0-config-support-include-directive.patch
@@ -46,8 +46,8 @@ index 88225451..ba3a54c8 100644
 -                key = $2
 -              else
 -                key = $1
-+          when /\A\.include (.+)\z/
-+            path = $1
++          when /\A\.include (\s*=\s*)?(.+)\z/
++            path = $2
 +            if File.directory?(path)
 +              files = Dir.glob(File.join(path, "*.{cnf,conf}"), File::FNM_EXTGLOB)
 +            else
@@ -141,7 +141,7 @@ index 99dcc497..5653b5d0 100644
 +        file-main = unnamed
 +        [sec-main]
 +        main = 123
-+        .include include-child.conf
++        .include = include-child.conf
 +      __EOC__
 +
 +      # Include a file by relative path

@ioquatix
Copy link
Member

Can interested parties please rebase and update this PR, then we can get it out by the 2.7 release window if it's done this month.

@voxik
Copy link

voxik commented Nov 8, 2019

This is the patch I am using for Ruby 2.7:

https://src.fedoraproject.org/rpms/ruby/blob/private-ruby-2.7/f/ruby-2.6.0-config-support-include-directive.patch

@ioquatix
Copy link
Member

ioquatix commented Nov 8, 2019

Is there an API we should be using for this?

@rhenium
config: support .include directive
2ad65b5 
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
parser to support that.

As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.

Squashed in additional changes by Vít Ondruch to support '.include = '
syntax.

Reference: ruby#208
@voxik
Copy link

voxik commented Jan 6, 2020

Is there an API we should be using for this?

I don't think there is any API for this, since - according to Fedora OpenSSL maintainer - the config file is internal format and it should not be re-implemented neither accessed by 3rd parties. More details in #208 and https://bugzilla.redhat.com/show_bug.cgi?id=1610921

@rhenium rhenium force-pushed the ky/config-include-directive branch from f46bac1 to 2ad65b5 Compare February 15, 2020 09:13
@rhenium
Copy link
Member Author

rhenium commented Feb 15, 2020

Squashed in the changes in the Fedora patch.

@rhenium rhenium merged commit 9907de5 into ruby:maint-2.0 Feb 17, 2020
@rhenium rhenium mentioned this pull request Mar 9, 2020
Closed
@nagachika
Copy link
Member

Hello,

I have noticed RubyCI require this patch to pass a openssl test on some environments. I will backport the patch shown by @voxik into ruby_2_7 branch. Thank you two all.

matzbot pushed a commit to ruby/ruby that referenced this pull request Jul 11, 2020
@nagachika
OpenSSL 1.1.1 introduces a new '.include' directive. Update our config
b4c893a 
parser to support that.

As mentioned in the referenced GitHub issue, we should use the OpenSSL
API instead of implementing the parsing logic ourselves, but it will
need backwards-incompatible changes which we can't backport to stable
versions. So continue to use the Ruby implementation for now.

References:
  ruby/openssl#208
  ruby/openssl#216

The original patch was written by Kazuki Yamaguchi <[email protected]> and
the patch for ruby_2_7 branch was prepared by Vít Ondruch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rhenium @voxik @ioquatix @nagachika