webpush icon indicating copy to clipboard operation
webpush copied to clipboard

Published 20 hours ago verified publisher icon zaru

Add support for OpenSSL 3

Open ClearlyClaire opened this issue 2 years ago • 15 comments

Starting form OpenSSL 3, PKey aren't mutable anymore, so we have to build them instead of separately setting private_key and public_key.

ClearlyClaire avatar May 17 '22 15:05 ClearlyClaire

Hi!

Any response on getting this merged?

donv avatar Sep 15 '22 10:09 donv

lgtm, @ClearlyClaire any response from @zaru on getting this merged?

MBM1607 avatar Nov 02 '22 12:11 MBM1607

+1 for this, it would be useful to have this update merged (and most importantly having this merged before support for previous openssl versions is dropped...)

collimarco avatar Nov 25 '22 15:11 collimarco

I am looking at the code line by line and in general seems good to me. However I have some doubts about the use of OpenSSL::ASN1::Sequence in VapidKey#to_pem and VapidKey#set_keys! , because it seems very low-level. I wonder if there's a better alternative.

For example here's another implementation (less code, high-level, widely used in production) of VapidKey#to_pem: https://github.com/pushpad/web-push/commit/20f40d9586b524b8c75e64887683931d6e11b078#diff-e8e36e8a5282b2fbf5503e699e222f3d5413c86cdbb94ecdd13148ea0c59e5f5

I wonder if we can keep something like that in OpenSSL 3 - I would feel more confident.

collimarco avatar Nov 27 '22 14:11 collimarco

Are these changes necessary at all?

Please try to use this https://github.com/pushpad/web-push (v2.0.0) and simply update the openssl version in the .gemspec to v3:

spec.add_dependency 'openssl', '~> 3.0'

Then run bundle update and bundle exec rspec... all tests are passing!

Maybe is it because the openssl gem v3 is still using the "OpenSSL library v1.1" on my machine? Or gem v3 always uses the C library v3?

collimarco avatar Nov 28 '22 09:11 collimarco

Ok, the gem version (e.g. v3) can be different from the underlying C library.

For example openssl gem v3 is still compatible with C library v1.1.

The breaking change seems related to updating the underlying C library to v3, not the gem, which can be updated to v3.

For the breaking changes caused by the C library, it seems that the Ruby core team is working on some workarounds at the gem level:

https://github.com/ruby/openssl/pull/480

Maybe that will make all these changes to this gem unnecessary (???)

collimarco avatar Nov 28 '22 20:11 collimarco

I am looking at the code line by line and in general seems good to me. However I have some doubts about the use of OpenSSL::ASN1::Sequence in VapidKey#to_pem and VapidKey#set_keys! , because it seems very low-level. I wonder if there's a better alternative.

For example here's another implementation (less code, high-level, widely used in production) of VapidKey#to_pem: pushpad/web-push@20f40d9#diff-e8e36e8a5282b2fbf5503e699e222f3d5413c86cdbb94ecdd13148ea0c59e5f5

I wonder if we can keep something like that in OpenSSL 3 - I would feel more confident.

Good catch. The result is the same and it works on OpenSSL 3. Pushed the change.

ClearlyClaire avatar Nov 29 '22 17:11 ClearlyClaire

@ClearlyClaire Great! I wonder if it's possible to use a similar, high-level approach also for set_keys!

collimarco avatar Nov 29 '22 22:11 collimarco

@collimarco, We have switched to web-push, version 2.1.0 and the error still persists. Is there any chance this fix could be applied in a 2.1.1 version ?

https://github.com/decidim/decidim/actions/runs/3648589265/jobs/6162187603

image

alecslupu avatar Dec 08 '22 13:12 alecslupu

@alecslupu the Pushpad fork already supports openssl v3 (the ruby gem), but still uses openssl v1.1 (the C library). I also want to add support for OpenSSL v3 (C library) soon, but at the moment the official Ruby docker images still use C library v1.1, so we are ok with that.

My main doubt with the code in this pull request is if we really need to go low-level (e.g. using OpenSSL::ASN1::Sequence) or if there is any other simpler solution.

collimarco avatar Dec 08 '22 15:12 collimarco

I totally understand the concern. I can confirm that the patch proposed in this PR, works okay for apps using OpenSSL v3 (C library).

I can confirm that Pushpad version is working fine with OpenSSL 3 gem having OpenSSL v1.1 (the C library), yet it fails when used with V3 C library.

alecslupu avatar Dec 08 '22 17:12 alecslupu

@collimarco are you considering merging this in your fork? That would be a reason, at least for me, to move to it.

xfalcox avatar Dec 13 '22 20:12 xfalcox

I have just released web-push v3.0 which is compatible with both OpenSSL v1.1 and OpenSSL v3 🎉 https://github.com/pushpad/web-push

Note: in order to use that gem you need to use gem 'web-push' and rename Webpush to WebPush.

collimarco avatar Jan 05 '23 11:01 collimarco

I replaced the webpush gem with web-push for ForkMonitor (changeWebpush to WebPush in the code) and it no longer throws OpenSSL::PKey::PKeyError when trying to send a push message. Didn't look at the code changes though.

Sjors avatar Feb 19 '23 14:02 Sjors

I can also confirm that renaming the gem from webpush to web-push fixes the OpenSSL::PKey::PKeyError (pkeys are immutable on OpenSSL 3.0) that bugged me all day. Thanks for the fix!

timokleemann avatar Aug 21 '23 09:08 timokleemann