Make Ruby 3.1 and 3.2 work with OpenSSL 3 in FIPS mode (!1999) · Merge requests · GitLab.org / Build / CNG

Balasankar 'Balu' C requested to merge 2076-backport-ruby-fips-fix into master Sep 03, 2024

What does this MR do?

UBI 9 does not define the macro OPENSSL_FIPS like UBI 8 did, and this resulted in Ruby to be compiled without OpenSSL FIPS mode. By cherry-picking https://github.com/ruby/ruby/commit/678d41bc51f, we drop the requirement of this macro.

Testing

From a FIPS-enabled host with docker installed, run the following

$ docker run -it registry.gitlab.com/gitlab-org/build/cng/gitlab-ruby:2076-backport-ruby-fips-fix-fips ruby -e 'require "openssl"; puts OpenSSL.fips_mode'

and confirm it says true. From a host that is not FIPS-enabled, it should say false.

Related issues

Closes #2076 (closed)

Closes #2077

Mirrors Make Ruby 3.1 and 3.2 work with OpenSSL 3 in FI... (gitlab-org/omnibus-gitlab!7906 - merged)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

Merge Request Title, and Description are up to date, accurate, and descriptive
MR targeting the appropriate branch
MR has a green pipeline on GitLab.com
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

Test plan indicating conditions for success has been posted and passes
Documentation created/updated
Integration tests added to GitLab QA
The impact any change in container size has should be evaluated
New dependencies are managed with dependencies.io

Edited Sep 03, 2024 by Jason Plum

Make Ruby 3.1 and 3.2 work with OpenSSL 3 in FIPS mode