CI failing on openssl cases

[junaruga]

I synchronized the latest master branch in the repository into the one in my forked repository. Then I see the following CI failures in openssl cases.

https://github.com/junaruga/ruby-openssl/actions/runs/10075912441

I see 2 types of failures in the CI.

Failing to download the OpenSSL source archive file

For the most of the openssl cases, failing to get the source code of the OpenSSL from the openssl.org website.

$ curl -OL https://openssl.org/source/openssl-1.0.2u.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   127  100   127    0     0   1182      0 --:--:-- --:--:-- --:--:--  1186

$ echo $?
0

$ cat openssl-1.0.2u.tar.gz
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>

Seeing the official page, the source archive is linked to the GitHub's release pages.
https://openssl-library.org/source/index.html

For example, the openssl-3.3.1.tar.gz is linked to the https://github.com/openssl/openssl/releases/download/openssl-3.3.1/openssl-3.3.1.tar.gz .

A challenge is I couldn't find the link to the openssl-1.0.2u.tar.gz . This is not convenient for our CI flow.
https://github.com/openssl/openssl/releases

I am asking the folks at the OpenSSL project on the following discussion page, and getting a temporary workflow.
openssl/openssl#24984

openssl-head fips failing

The 2nd type of the failure is openssl-head fips case specific. The following error happened with OpenSSL master branch commit openssl/openssl@14e4660.

https://github.com/junaruga/ruby-openssl/actions/runs/10075912441/job/27855173380#step:13:35

ruby 3.0.7p220 (2024-04-23 revision 724a071175) [x86_64-linux]
/home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/pkey.rb:132:in `new'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/pkey.rb:132:in `new'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:36:in `<class:SSLContext>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:23:in `<module:SSL>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:22:in `<module:OpenSSL>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl/ssl.rb:21:in `<top (required)>'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl.rb:22:in `require_relative'
  from /home/runner/work/ruby-openssl/ruby-openssl/lib/openssl.rb:22:in `<top (required)>'
  from <internal:/opt/hostedtoolcache/Ruby/3.0.7/x64/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
  from <internal:/opt/hostedtoolcache/Ruby/3.0.7/x64/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
rake aborted!

[junaruga]

For the above 1st issue, I sent the PR #779 as a temporary workaround, and merged it.

[junaruga]

For the above 2nd issue on openssl-head fips case, the OpenSSL commit we saw the CI passed on the case at is openssl/openssl@2c7cae5 . And the passing log is below.

https://github.com/ruby/openssl/actions/runs/9774837237/job/26983972069#step:3:42

[junaruga]

I sent the PR #780 to improve the CI related to this issue.

[rhenium]

Re master-fips failure: I have bisected it to openssl/openssl@6d47e81

However I don't understand why this can break DH.

[junaruga]

Thanks for bisecting it. I am going to ask folks about this issue at OpenSSL project.

[junaruga]

Thanks for bisecting it. I am going to ask folks about this issue at OpenSSL project.

Asking at openssl/openssl#24991.

[junaruga]

For the above 1st issue, I sent the PR #779 as a temporary workaround, and merged it.

I reverted the PR #779 by the PR #781 as I was told that the OpenSSL project resoved their website issue.

[junaruga]

Asking at openssl/openssl#24991.

I noticed that Ruby OpenSSL is loading both the base and fips providers again in the openssl-head fips case again with the OpenSSL openssl/openssl@3c6e114 .

https://github.com/junaruga/ruby-openssl/actions/runs/10093820863/job/27910380793#step:13:40

[junaruga]

I think OpenSSL's commit openssl/openssl@3c6e114 fixed the issue. I tested it on my local, and reported at openssl/openssl#24991 (comment) Let's close this issue ticket.