From: "sachiang (Samuel Chiang) via ruby-core" Date: 2024-12-26T19:39:23+00:00 Subject: [ruby-core:120421] [Ruby master Feature#20960] Support building OpenSSL for Ruby with AWS-LC Issue #20960 has been updated by sachiang (Samuel Chiang). alanwu (Alan Wu) wrote in #note-2: > Discussion for this should probably move to . Ruby is downstream to the `openssl` gem. Thanks for the tip! I'll move this conversation over there then. ---------------------------------------- Feature #20960: Support building OpenSSL for Ruby with AWS-LC https://bugs.ruby-lang.org/issues/20960#change-111201 * Author: sachiang (Samuel Chiang) * Status: Open ---------------------------------------- Hello, I���m an engineer at AWS working on [AWS-LC](https://github.com/aws/aws-lc), AWS���s open-source cryptographic library maintained for AWS and their customers. AWS-LC supports CPU-specific performance optimizations for AWS Graviton 2, [AWS Graviton 3](https://github.com/aws/aws-lc/commit/ae87faf735c0241a115542b1c1022d125564bf55), and [Intel x86-64 with AVX-512 instructions](https://github.com/aws/aws-lc/commit/e22cf5065761bec8882c66cea94a9320bc8c0334). We���ve formally verified [a subset of](https://github.com/awslabs/aws-lc-verification#verified-code) AWS-LC���s cryptographic primitives, and continue to invest in expanding this coverage. AWS-LC can be also built in [FIPS mode](https://aws.amazon.com/blogs/security/aws-lc-fips-3-0-first-cryptographic-library-to-include-ml-kem-in-fips-140-3-validation/) to help consumers meet FIPS 140-3 compliance requirements. To give Ruby users a well-documented and supported way to take advantage of these investments, we would like to upstream build compatibility for AWS-LC into Ruby. We believe that this would provide the best experience for users wishing to build Ruby against AWS-LC. It would also allow users to circumvent maintaining and applying their own patch sets to build Ruby with AWS-LC. Earlier this year, we[engaged with the CPython maintainers](https://discuss.python.org/t/support-building-ssl-and-hashlib-modules-against-aws-lc/44505) to successfully address similar needs for our respective users. We are working on patch sets to integrate Ruby���s OpenSSL module with AWS-LC. AWS-LC is committed to backwards compatibility and we aim to keep our API stable. Our open source repository has CI jobs ([here](https://github.com/aws/aws-lc/tree/main/tests/ci/integration) and [here](https://github.com/aws/aws-lc/blob/main/.github/workflows/integrations.yml)) asserting every change���s compatibility with multiple different open-source projects. We���ve [recently added Ruby 3.1 and 3.2](https://github.com/aws/aws-lc/commit/57133c00c71f9a6790c7c9d9a63ab883a7e607cf) to this test suite and we���re in the midst of incorporating Ruby���s main branch and 3.3. These tests are used to catch compatibility regressions against every change before they���re merged and to resolve potential build issues beforehand when upstream projects make relevant changes. Relevant unit tests from the upstream projects��� are also ran to confirm that the underlying `libcrypto` & `libssl` behave as expected. By expanding our regular testing processes to include Ruby, we proactively prevent any unanticipated breaks in the Ruby/AWS-LC build. The proposed integration supports all features of Ruby���s OpenSSL module, except for the use of DHE cipher suites in `libssl`. Excluding this, we have confirmed that all relevant unit tests for Ruby���s OpenSSL module perform as expected. If you folks agree that this integration would be beneficial for Ruby and its consumers, I���d be more than happy to put together a PR. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/