Avoid mutating SSLContext in SSLServer. by ioquatix · Pull Request #742 · ruby/openssl

ioquatix · 2024-04-21T13:24:22Z

I think that we shouldn't mutate the SSLContext in SSLServer and instead be more proactive about setting the right defaults.

               |   FrozenError: can't modify frozen OpenSSL::SSL::SSLContext: #<OpenSSL::SSL::SSLContext:0x0000000104d3f3b0 @verify_mode=0, @verify_hostname=true, @servername_cb=#<Proc:0x0000000104d3f1a8 /Users/samuel/Developer/socketry/async-http-native-io/external/falcon/lib/falcon/environment/proxy.rb:78>, @session_id_context=nil, @max_proto_version=771, @min_proto_version=771>
               |   → /Users/samuel/.gem/ruby/3.3.0/bundler/gems/openssl-d3d857cd1e4d/lib/openssl/ssl.rb:536 in `initialize'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/io-endpoint-0.7.2/lib/io/endpoint/ssl_endpoint.rb:125 in `new'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/io-endpoint-0.7.2/lib/io/endpoint/ssl_endpoint.rb:125 in `block in bind'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/io-endpoint-0.7.2/lib/io/endpoint/ssl_endpoint.rb:124 in `map'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/io-endpoint-0.7.2/lib/io/endpoint/ssl_endpoint.rb:124 in `bind'
               |     /Users/samuel/Developer/socketry/async-http-native-io/lib/async/http/endpoint.rb:185 in `bind'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/io-endpoint-0.7.2/lib/io/endpoint/bound_endpoint.rb:13 in `bound'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/io-endpoint-0.7.2/lib/io/endpoint/bound_endpoint.rb:83 in `bound'
               |     lib/falcon/service/server.rb:41 in `block in start'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/async-2.10.2/lib/async/task.rb:163 in `block in run'
               |     /Users/samuel/.gem/ruby/3.3.0/gems/async-2.10.2/lib/async/task.rb:376 in `block in schedule'

rhenium · 2024-04-26T16:51:20Z

Can we just skip assigning the session ID context if SSLContext is already frozen, for now?

I agree SSLServer shouldn't mutate SSLContext, but I don't feel safe to change the behavior without deprecating it first, as that could break existing user programs in a tricky way.

rhenium · 2024-04-26T16:53:22Z

+          session_id = prng.bytes(16).unpack1('H*')
+          self.session_id_context = session_id
+        end
+


SSLContext#set_params is useful only for TLS clients so the session ID context should not be set here (which only makes sense for servers).

Do not raise FrozenError in SSLServer.new when SSLContext#session_id_context cannot be updated. session_id_context is only necessary for session resumption, so its absence is not critical. Fixes ruby#742

Do not raise FrozenError in SSLServer.new when SSLContext#session_id_context cannot be updated. session_id_context is only necessary for session resumption, so its absence is not critical. Fixes ruby/openssl#742 ruby/openssl@51de9c303e

Avoid mutating SSLContext in SSLServer.

6d08940

rhenium reviewed Apr 26, 2024

View reviewed changes

rhenium mentioned this pull request Jun 24, 2026

ssl: let SSLServer accept frozen SSLContext #1072

Merged

rhenium closed this in #1072 Jun 24, 2026

ioquatix deleted the set_params-session_id_context branch June 25, 2026 00:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Avoid mutating SSLContext in SSLServer.#742

Avoid mutating SSLContext in SSLServer.#742
ioquatix wants to merge 1 commit into
masterfrom
set_params-session_id_context

ioquatix commented Apr 21, 2024

Uh oh!

rhenium commented Apr 26, 2024

Uh oh!

rhenium Apr 26, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

ioquatix commented Apr 21, 2024

Uh oh!

rhenium commented Apr 26, 2024

Uh oh!

rhenium Apr 26, 2024

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants