Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl support #6

Open
neurosnap opened this issue Jan 11, 2022 · 16 comments
Open

openssl support #6

neurosnap opened this issue Jan 11, 2022 · 16 comments

Comments

@neurosnap
Copy link

Thanks for the library! I'm not able to get openssl to work, does anyone have any thoughts?

{
  description = "development environment";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs-ruby.url = "github:bobvanderlinden/nixpkgs-ruby";
    nixpkgs-ruby.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, flake-utils, nixpkgs-ruby }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        ruby = nixpkgs-ruby.lib.mkRuby { inherit pkgs; rubyVersion = "2.2.10"; };
        bundler = pkgs.buildRubyGem rec {
          inherit ruby;
          name = "${gemName}-${version}";
          gemName = "bundler";
          version = "1.17.3";
          source = {
            remotes = ["https://rubygems.org"];
            sha256 = "sha256-vEv3W1SLJ0UaqfRDsYxGpzndIq1596X5C0hTdqZ9w1I=";
            type = "gem";
          };
        };
      in {
        devShell = pkgs.mkShell {
          buildInputs = [
            ruby
            bundler
          ];
        };
      });
}
Could not load OpenSSL.
You must recompile Ruby with OpenSSL support or change the sources in your Gemfile from 'https' to 'http'. Instructions for compiling with OpenSSL using RVM are available at rvm.io/packages/openssl.
@purcell
Copy link

purcell commented Sep 11, 2022

With the older Rubies, they don't work with openssl >= 1.0, and nixpkgs now defaults to 1.1, which is not backwards-compatible. I think what happens is that the configure script of the ruby therefore fails to detect a working openssl, and quietly skips building it.

A couple of years ago, before the switch in nix file structure to use flakes, I worked around this by overriding the openssl version, but since then the older openssl has been completely removed from nixpkgs. Patches exist for the old Ruby code so that they will support the newer openssl, but I can't for the life of me figure out how to include them in the rubies built by mkRuby. Any pointers, @bobvanderlinden?

@bobvanderlinden
Copy link
Owner

You can use overrideAttrs. Something like:

(mkRuby { inherit pkgs; rubyVersion = "1.2.3"; }).overrideAttrs {
  patches = [ ./mypatch.patch ];
}

That said, I'm interested in those patches. I could add them in the repo for specific ranges of versions. Do you have a link where I can find them?

@purcell
Copy link

purcell commented Sep 12, 2022

Huh, thanks, I thought I'd tried exactly that, but must have messed something up. 🙏

I'll report back when I've had chance to fiddle with this and see if I can confirm a working patch.

@purcell
Copy link

purcell commented Sep 13, 2022

BTW, this PR to RVM has a comprehensive set of openssl compatibility patches for various versions of Ruby: rvm/rvm#5248

The patch for 2.2.x there is the same as one I found elsewhere, but doesn't seem to apply cleanly to 2.2.10 via nixpkgs-ruby, so I need to look into whether it just needs more fuzziness, or some actual edits. I can see value in incorporating these patches here — otherwise I think any Ruby < 2.4 will fail to have openssl support.

I had to do something similar when assembling a set of old Emacs versions for CI testing (https://github.com/purcell/nix-emacs-ci/) — to just satisfy basic usability with modern nixpkgs, a few small compatibility/backport patches were the practical choice.

@domenkozar
Copy link

Fixed in master?

@purcell
Copy link

purcell commented Nov 28, 2022

Fixed in master?

No, I think that's a separate issue: it seems to fix Ruby 3 not building with OpenSSL > 1.1.

This particular report is about Ruby < 2.4 not building with OpenSSL > 1.0, which is still the case.

@bobvanderlinden
Copy link
Owner

This problem shouldn't happen anymore. In #23, overrides were introduced that allows making changes to the Ruby derivation based on version ranges. OpenSSL1.1 is now only applied to those versions that failed to build otherwise. In addition, there is now CI running that check whether versions are still able to build.

Could you check whether this is still a problem for you?

@purcell
Copy link

purcell commented Jan 2, 2023

@bobvanderlinden Could you clarify what you'd expect to be different now? Even without #23, the old versions built — they just silently had no OpenSSL support, because the unpatched source isn't compatible with any OpenSSL available in nixpkgs.

@bobvanderlinden
Copy link
Owner

Could you clarify what you'd expect to be different now?

I see what you mean. Older Ruby versions are expecting OpenSSL 1.0 and do not support OpenSSL 1.1 nor OpenSSL 3.0. OpenSSL 1.0 is not in nixpkgs anymore, so the Ruby source needs to be patched.

#23 merely makes sure Ruby versions that did not support OpenSSL 3.0 would use OpenSSL 1.1.

rvm/rvm#5248 does look like the right solution. Might be good to wait for it to be merged before trying to apply it to all applicable Ruby versions.

@purcell
Copy link

purcell commented Jan 25, 2023

Yes, exactly. In practice, as I noted above, the patch in that RVM PR for Ruby 2.2.x didn't apply to 2.2.10 when I tried it, so I'm not sure I hold out much hope that a working set of patches is viable. (Perhaps I messed something up, but I don't think so.)

@trevorfoxsoft
Copy link

I'm strangely having this error despite being on Ruby 3.0.4. My devenv.nix is below, and extremely basic. I've tried adding openssl to the package list to no avail. What's going on here?

{ pkgs, ... }:

{
  languages.ruby.enable = true;
  languages.ruby.versionFile = ./.ruby-version;

  # Packages to install
  packages = with pkgs; [
    git
  ];

  services.postgres.enable = true;
}

@bobvanderlinden
Copy link
Owner

@trevorfoxsoft could you also post your devenv.yaml?

@trevorfoxsoft
Copy link

@trevorfoxsoft could you also post your devenv.yaml?

Of course, it's just as bare:

inputs:
  nixpkgs:
    url: github:NixOS/nixpkgs/nixpkgs-unstable
  nixpkgs-ruby:
    url: github:bobvanderlinden/nixpkgs-ruby

@trevorfoxsoft
Copy link

Still struggling with this one—is there any more info I can provide or any suggestions to explore?

@socherbyc
Copy link

@trevorfoxsof For now, I am overriding openssl version:

{ pkgs, nixpkgs-ruby, ... }:

{
  languages.ruby.enable = true;
  languages.ruby.package = (nixpkgs-ruby.lib.packageFromRubyVersionFile {
    file = ./.ruby-version;
    system = pkgs.stdenv.system;
  }).override { openssl = pkgs.openssl_1_1; };

  # Packages to install
  packages = with pkgs; [
    git
  ];

  services.postgres.enable = true;
}

bobvanderlinden added a commit that referenced this issue Apr 22, 2023
As mentioned in #6, there are Ruby versions where openssl does not
correctly work.
The intention is to add tests for loading the openssl gem so that we can
detect for which versions openssl does and does not work.

After that it is likely that overrides are needed to change the openssl
version for specific Ruby versions.
@bobvanderlinden
Copy link
Owner

bobvanderlinden commented Apr 22, 2023

#71 fixes the issue with Ruby 3.0.x not having openssl available. There are now tests available that check for require 'openssl' succeeding.

OpenSSL is still a problem for Ruby <2.4. The patches for RVM were merged, so I thought I'd give them a try as well. It did not really help. There seems to still be a problem during configurePhase. configure outputs Failed to configure openssl. It will not be installed., but no further information. I haven't bothered looking into this too much, as these versions seem insecure.

I want to suggest to look into https://lazamar.co.uk/nix-versions/?channel=nixpkgs-unstable&package=ruby for really old Ruby versions. With an older nixpkgs it'll use openssl 1.0 or even 0.9.x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants