[ruby/openssl] ssl: allow SSLContext#set_params to be used from non-main Ractors

Freeze OpenSSL::SSL::SSLContext::DEFAULT_PARAMS so that it becomes Ractor-shareable. Also, prepare a new OpenSSL::X509::Store in Ractor-local storage, if called from a non-main Ractor. OpenSSL::X509::Store currently is not a shareable object. https://github.com/ruby/openssl/commit/3d5271327c
2026-01-27 04:24:23 +00:00 · 2025-08-02 00:48:38 +09:00 · 2025-08-02 00:48:38 +09:00 · a8b34d9a9b
commit a8b34d9a9b
parent e4f1280831
2 changed files with 54 additions and 2 deletions
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@ -66,9 +66,10 @@ module OpenSSL
            AES256-SHA256
            AES128-SHA
            AES256-SHA
-          }.join(":"),
+          }.join(":").freeze,
        )
      end
+      DEFAULT_PARAMS.freeze

      DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
      DEFAULT_CERT_STORE.set_default_paths
@ -114,7 +115,14 @@ module OpenSSL
        params.each{|name, value| self.__send__("#{name}=", value) }
        if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
          unless self.ca_file or self.ca_path or self.cert_store
-            self.cert_store = DEFAULT_CERT_STORE
+            if not defined?(Ractor) or Ractor.current == Ractor.main
+              self.cert_store = DEFAULT_CERT_STORE
+            else
+              self.cert_store = Ractor.current[:__openssl_default_store__] ||=
+                OpenSSL::X509::Store.new.tap { |store|
+                  store.set_default_paths
+                }
+            end
          end
        end
        return params
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@ -2317,6 +2317,50 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    end
  end

+  # OpenSSL::Buffering requires $/ accessible from non-main Ractors (Ruby 3.5)
+  # https://bugs.ruby-lang.org/issues/21109
+  #
+  # Hangs on Windows
+  # https://bugs.ruby-lang.org/issues/21537
+  if respond_to?(:ractor) && RUBY_VERSION >= "3.5" && RUBY_PLATFORM !~ /mswin|mingw/
+    ractor
+    def test_ractor_client
+      start_server { |port|
+        s = Ractor.new(port, @ca_cert) { |port, ca_cert|
+          sock = TCPSocket.new("127.0.0.1", port)
+          ctx = OpenSSL::SSL::SSLContext.new
+          ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          ctx.cert_store = OpenSSL::X509::Store.new.tap { |store|
+            store.add_cert(ca_cert)
+          }
+          begin
+            ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+            ssl.connect
+            ssl.puts("abc")
+            ssl.gets
+          ensure
+            ssl.close
+            sock.close
+          end
+        }.value
+        assert_equal("abc\n", s)
+      }
+    end
+
+    ractor
+    def test_ractor_set_params
+      # We cannot actually test default stores in the test suite as it depends
+      # on the environment, but at least check that it does not raise an
+      # exception
+      ok = Ractor.new {
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.set_params
+        ctx.cert_store.kind_of?(OpenSSL::X509::Store)
+      }.value
+      assert(ok, "ctx.cert_store is an instance of OpenSSL::X509::Store")
+    end
+  end
+
  private

  def server_connect(port, ctx = nil)