From 7863389ad0e31bee853ba5c7399637edbead31a1 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sun, 5 Oct 2025 19:38:47 +0900 Subject: [PATCH] [ruby/openssl] ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store With OpenSSL 3.6.0, it causes nearly every certificate verification to fail with the message "certificate verify failed (unable to get certificate CRL)" because the CRLs are typically unavailable in the default store used by OpenSSL::SSL::SSLContext#set_params. OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be set to enable CRL checking. In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page and may be fixed in a future OpenSSL 3.6.x release, but this flag is not needed and should not be set by default. Fixes https://github.com/ruby/openssl/issues/949 https://github.com/ruby/openssl/commit/e8481cd687 --- ext/openssl/lib/openssl/ssl.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index a0ad5dc3a6..46509c333e 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -91,7 +91,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc: DEFAULT_CERT_STORE.set_default_paths - DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL # A callback invoked when DH parameters are required for ephemeral DH key # exchange.