v4.0.0

A high-level overview is available in History.md: https://github.com/ruby/openssl/blob/master/History.md#version-400

Merged Pull Requests

• pkey: Use openssl generated pkcs8 key instead by @samuel40791765 in #830
• Various cleanups in pkey tests by @rhenium in #834
• Reduce OpenSSL::Buffering#do_write overhead by @byroot in #831
• Require LibreSSL 3.9 or later (Drop support for 3.1-3.8) by @rhenium in #836
• Require OpenSSL 1.1.0 or later (Drop support for 1.0.2) by @rhenium in #839
• Require OpenSSL 1.1.1 or later (Drop support for 1.1.0) by @rhenium in #841
• Use X509_ALGOR_get0() accessor for X509_ALGOR by @botovq in #687
• pkey: change PKey::{RSA,DSA,DH}#params to use nil for missing parameters by @rhenium in #774
• ts: use TS_VERIFY_CTX_set0_{store,certs}() on OpenSSL 3.4 by @rhenium in #842
• ssl: separate SSLContext#min_version= and #max_version= by @rhenium in #849
• pkey/ec: remove deprecated PKey::EC::Point#mul(ary, ary [, bn]) form by @rhenium in #843
• test_ssl.rb: Test respecting system default min. by @junaruga in #851
• Cleanups in SSL tests by @rhenium in #853
• Add build support for AWS-LC by @samuel40791765 in #852
• Avoid calling sk_*() with NULL by @rhenium in #854
• ssl: remove cert_store from start_server test helper by @rhenium in #858
• Patch and enable tests with AWS-LC by @samuel40791765 in #855
• Use ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] instead of OpenSSL::OPENSSL_FIPS. by @junaruga in #862
• ssl: manually craft invalid SAN extensions in tests by @rhenium in #861
• digest: always run SHA-3 and truncated SHA-2 tests by @rhenium in #864
• ssl: refactor check_supported_protocol_versions by @rhenium in #866
• ssl: fix tests using TLS 1.1 or older by @rhenium in #867
• Improve AWS-LC tests by @junaruga in #863
• Improve document of initialize_copy by @midnight-wonderer in #869
• Skip PKCS7 with indefinite length test in AWS-LC by @samuel40791765 in #871
• pkcs7: fix test failure on RHEL 9 by @rhenium in #876
• CI: Upgrade OpenSSL versions by @junaruga in #878
• Fix the tests using SHA-1 Probabilistic Signature Scheme (PSS) parameters. by @junaruga in #879
• .github/workflows/test.yml: stop using ubuntu-20.04 runner image by @rhenium in #880
• ssl: fix SSLSocket#syswrite with String-convertible objects by @rhenium in #881
• asn1: check for missing EOC in indefinite length encoding by @rhenium in #859
• .github/workflows/test.yml: update test-openssls by @rhenium in #884
• AWS-LC has support for parsing ber constructed strings now by @samuel40791765 in #888
• cipher: remove Cipher#encrypt(password, iv) form by @rhenium in #887
• ssl: fix potential memory leak in SSLContext#setup by @rhenium in #882
• CI test.yml - add workflow_dispatch by @MSP-Greg in #890
• ssl: add SSLContext#sigalgs= and #client_sigalgs= by @rhenium in #895
• pkey: add support for OpenSSL 3 provider-only pkeys by @rhenium in #898
• Use Dir.glob and base keyword arg for the installer of Ruby package by @hsbt in #904
• Run have_func with the header providing the declarations by @nobu in #905
• ssl: rename SSLContext#ecdh_curves= to #groups= by @rhenium in #900
• pkey/ec: avoid calling SYM2ID() on user-supplied objects by @rhenium in #907
• asn1: align UTCTime year range with RFC 5280 by @rhenium in #909
• Various test and CI improvements by @rhenium in #910
• Rakefile: fix :test/:test_fips => :compile dependency by @rhenium in #911
• ssl: add SSLSocket#sigalg, #peer_sigalg, #group by @junaruga in #908
• ssl: add post-quantum cryptography (PQC) tests by @junaruga in #913
• lib/openssl.rb: require files in alphabetical order by @rhenium in #914
• Cleanup ossl_*_new() functions by @rhenium in #912
• x509store: fix StoreContext#current_cert by @rhenium in #919
• pkcs7: clean up tests by @rhenium in #921
• pkcs7: fix error queue leak in OpenSSL::PKCS7#detached by @rhenium in #922
• pkcs7: make PKCS7#add_recipient actually useful by @rhenium in #923
• pkey: skip tests using invalid keys in the FIPS mode by @rhenium in #930
• Add missing write barriers in X509 by @jhawthorn in #932
• pkey: fix repeated passphrase prompts in OpenSSL::PKey.read by @rhenium in #931
• pkey: fix loading public keys with early OpenSSL 3.0.x releases by @rhenium in #940
• CONTRIBUTING.md: Add Debugging section [ci skip] by @junaruga in #944
• Revert "pkey: stop retrying after non-retryable error from OSSL_DECODER" by @rhenium in #943
• c_rehash: fix hash_name output for small hashes by @orgads in #942
• Add AuthTagError exception for AEAD authentication failures by @samuel-williams-shopify in #939
• Fix test_ssl.rb in FIPS. by @junaruga in #937
• Fix "default gem" link in README.md by @holtrop in #945
• CI: Add GitHub Actions ppc64le/s390x cases by @junaruga in #946
• pkey: disallow {DH,DSA,EC,RSA}.new without arguments on OpenSSL 3.0 by @rhenium in #848
• pkey/dh: refactor tests by @rhenium in #947
• CI: Upgrade OpenSSL and LibreSSL versions by @junaruga in #948
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #951
• ssl: use SSL_CTX_set_dh_auto() by default by @rhenium in #924
• ssl: allow SSLContext#set_params to be used from non-main Ractors by @rhenium in #925
• Update link to OpenSSL configuration file docs by @tobscher in #956
• cipher: various docs improvements by @rhenium in #954
• Update keys used in tests by @rhenium in #953
• Add support for "fetched" EVP_MD and EVP_CIPHER by @rhenium in #958
• pkey: unify error classes into PKeyError by @rhenium in #929
• Replace Ruby 3.5 with Ruby 4.0 by @yahonda in #961
• ssl: fix test_pqc_sigalg on RHEL 9.7 by @rhenium in #965
• pkey/ec: fix OpenSSL::PKey::EC::Group#curve_name for unknown curves by @rhenium in #966
• asn1: refactor converting ASN1_OBJECT to string by @rhenium in #967
• ts: fix docs for attrs on OpenSSL::Timestamp::Factory by @rhenium in #970
• Remove dummy declarations for mOSSL and eOSSLError by @rhenium in #971
• Revert "rewriting most of the asn1 init code in ruby" by @rhenium in #972
• Expand tabs in C source files by @rhenium in #973
• asn1: use ASN1_TIME_to_tm() to decode UTCTime and GeneralizedTime by @rhenium in #974
• x509cert: handle invalid validity periods in Certificate#inspect by @rhenium in #977
• Treat ASN1_STRING as opaque by @botovq in #978
• asn1integer_to_num: don't cast away const by @botovq in #979
• ossl.c: implement OpenSSL::OpenSSLError#detailed_message by @rhenium in #976
• x509cert: update doc for OpenSSL::X509::Certificate#== by @rhenium in #984
• pkcs7: raise OpenSSL::PKCS7::PKCS7Error in #initialize by @rhenium in #983
• Freeze more constants for Ractor compatibility by @rhenium in #985
• Release 4.0.0 by @rhenium in https...

v3.3.2

What's Changed

• Check NULL values for deprecated EVP_PKEY_get0() functions by @stanhu in #957

New Contributors

• @stanhu made their first contribution in #957

Full Changelog: v3.3.1...v3.3.2

v3.2.3

What's Changed

• Check NULL values for deprecated EVP_PKEY_get0() functions by @stanhu in #957

New Contributors

• @stanhu made their first contribution in #957

Full Changelog: v3.2.2...v3.2.3

v3.1.3

What's Changed

• Check NULL values for deprecated EVP_PKEY_get0() functions by @stanhu in #957

New Contributors

• @stanhu made their first contribution in #957

Full Changelog: v3.1.2...v3.1.3

v3.3.1

What's Changed

• ssl: fix SSLSocket#sysread leaking locktmp String on timeout by @rhenium in #832
• Fix CI in maint-3.1 branch by @rhenium in #846
• pkey: avoid calling i2d_PUBKEY family on an incomplete key by @rhenium in #847
• Removed needless workaround again by @hsbt in #850
• test/openssl/test_bn.rb: use Ractor#value by @rhenium in #896
• ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store by @rhenium in #950

Full Changelog: v3.3.0...v3.3.1

v3.2.2

What's Changed

• Fix CI in maint-3.1 branch by @rhenium in #846
• pkey: avoid calling i2d_PUBKEY family on an incomplete key by @rhenium in #847
• test/openssl/test_bn.rb: use Ractor#value by @rhenium in #896
• ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store by @rhenium in #950

Full Changelog: v3.2.1...v3.2.2

v3.1.2

What's Changed

• Fix CI in maint-3.1 branch by @rhenium in #846
• pkey: avoid calling i2d_PUBKEY family on an incomplete key by @rhenium in #847
• test/openssl/test_bn.rb: use Ractor#value by @rhenium in #896
• ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store by @rhenium in #950

Full Changelog: v3.1.1...v3.1.2

v3.3.0

What's Changed

• Exact checks with assert_include by @nobu in #683
• Exact checks with assert_include by @nobu in #684
• CI: Upgrade OpenSSL and LibreSSL versions. by @junaruga in #689
• CONTRIBUTING.md: Update testing with debugging and FIPS use cases. [ci skip] by @junaruga in #688
• CI: Add OpenSSL 3.2.0. by @junaruga in #698
• History.md: Escape Markdown syntax Italic "*". [ci skip] by @junaruga in #697
• Use Markdown reference-style links in documents. [ci skip] by @junaruga in #696
• Fix test_pkey_dh.rb in FIPS. by @junaruga in #694
• Windows Ruby 3.3: Workaround: Set OPENSSL_MODULES to find providers. by @junaruga in #712
• CI: Added the rubyinstaller2 issue link that legacy provider is not loaded. by @junaruga in #713
• Add more methods to SocketForwarder. by @ioquatix in #708
• Only set min_version on OpenSSL < 1.1.0 by @ekohl in #710
• Add support for IO#timeout. by @ioquatix in #714
• test/openssl/test_ocsp.rb: fix flaky test by @rhenium in #702
• CI: Upgrade OpenSSL and LibreSSL versions. by @junaruga in #720
• omit tests related legacy provider by @hsbt in #718
• test_asn1.rb: Remove the assertions of the time string format without second. by @junaruga in #728
• test_provider.rb: Make a legacy provider test optional. by @junaruga in #721
• Revert openssl dir workaround on TruffleRuby by @eregon in #705
• Fix test_pkey_dsa.rb in FIPS. by @junaruga in #729
• Use www.rfc-editor.org for RFC text. by @hsbt in #737
• CI: Upgrade OpenSSL and LibreSSL versions. by @junaruga in #745
• Only CSR version 1 (encoded as 0) is allowed by PKIX standards by @botovq in #747
• Introduce basic support for close_read and close_write. by @ioquatix in #743
• CI: Remove workaround for Ruby-3.2 and 3.3 on Windows by @larskanis in #748
• Add OpenSSL::Digest.digests to get a list of available digests by @bdewater in #726
• Remove trailing space in test_ssl.rb by @peterzhu2118 in #750
• asn1: check error return from i2d_ASN1_TYPE() by @rhenium in #755
• read: don't clear buffer when nothing can be read by @casperisfine in #739
• Add to_text for PKCS7 and Timestamp::Response by @segiddins in #756
• [CI] test.yml - use bundle exec, use setup-ruby bundler-cache, fixes Windows issue by @MSP-Greg in #758
• Don't download OpenSSL from ftp.openssl.org anyomre by @KJTsanaktsidis in #763
• Fix test_create_with_mac_iter accidently setting keytype not maciter by @KJTsanaktsidis in #762
• Add X509::Certificate#tbs_bytes by @segiddins in #753
• Clarify license by @rhenium in #754
• Automatically update GitHub Pages from master branch by @rhenium in #764
• CI: Rely on setup-ruby to install Bundler gems by @olleolleolle in #766
• Pass through nil as digest when signing certificates by @gartens in #761
• rewriting most of the asn1 init code in ruby by @HoneyryderChuck in #740
• Add SSLSocket#readbyte by @lwoggardner in #771
• A temporary workaround to download OpenSSL archive files. by @junaruga in #779
• x509attr: avoid using OpenSSL::ASN1 internals in #value= by @rhenium in #773
• Set time directly on the x509 store by @segiddins in #770
• Revert "A temporary workaround to download OpenSSL archive files." by @junaruga in #781
• CI: Upgrade OpenSSL and LibreSSL versions by @junaruga in #782
• Make "rake debug" protective for a Ruby OpenSSL loading error. by @junaruga in #783
• Update .github/workflows/test.yml by @rhenium in #784
• test_s_generate_parameters: Consider a DSA error in FIPS. by @junaruga in #786
• Remove test_ed25519_not_approved_on_fips. by @junaruga in #789
• Fix test_pkey_rsa.rb in FIPS. by @junaruga in #790
• Fix test_provider.rb in FIPS. by @junaruga in #794
• CI: Upgrade OpenSSL versions by @junaruga in #799
• Add prime gem to d dependency by @takkanm in #810
• CI: Upgrade OpenSSL and LibreSSL versions by @rhenium in #813
• [DOC] Replace removed method in example for OpenSSL::Config#to_s by @hoshi-sano in #805
• ssl: remove redundant ossl_ssl_ex_vcb_idx by @rhenium in #795
• pkcs7: remove default cipher from PKCS7.encrypt by @rhenium in #796
• move ractor safe macro to ossl.h by @HoneyryderChuck in #811
• make bn shareable when frozen by @HoneyryderChuck in #808
• Add passing test files in FIPS. by @junaruga in #819
• Rakefile: Manage test files by excluding test files in the test_fips task. by @junaruga in #820
• Support signing requests and CRLs using ED25519 by @joshcooper in #804
• ssl: fix potential exception in servername_cb by @rhenium in #822
• ssl: handle callback exceptions in SSLSocket#sysread and #syswrite by @rhenium in #821
• ossl config: shareable when frozen by @HoneyryderChuck in #809
• Various small fixes in C extension code by @rhenium in #814
• ssl: do not enable OpenSSL::SSL::OP_ALL by default by @rhenium in #767
• pkcs12: add PKCS12#set_mac by @rhenium in #788
• digest: remove optional parameter from OpenSSL::Digest#finish by @rhenium in #825
• ssl: fix flaky test case test_ctx_client_session_cb_tls13_exception by @rhenium in #829
• Ruby/OpenSSL 3.3.0 by @rhenium in #827

New Contributors

• @ekohl made their first contribution in #710
• @casperisfine made their first contribution in #739
• @segiddins made their first contribution in #756
• @KJTsanaktsidis made their first contribution in #763
• @olleolleolle made their first contribution in #766
• @gartens made their first contribution in #761
• @HoneyryderChuck made their first contribution in #740
• @lwoggardner made their first contribution in #771
• @takkanm made their first contribution in #810
• @hoshi-sano made their first contribution in #805
• @joshcooper made their first contribution in #804

Full Changelog: v3.2.1...v3.3.0

v3.2.1

What's Changed

• Fix regression in do_write(s) causing significant performance issues when using large (>10meg) writes by @jaymzjulian in #706
• Backport test fixes to 3.0 by @rhenium in #751
• cipher: fix buffer overflow in Cipher#update by @rhenium in #717
• Handle missing content in PKCS7 by @rhenium in #752
• Remove "gemspec" from Gemfile by @rhenium in #768
• asn1: fix ObjectId#== by @rhenium in #792
• x509: fix handling of multiple URIs in Certificate#crl_uris by @rhenium in #776
• cipher: make output buffer String independent by @rhenium in #824
• Configure RubyGems Trusted Publishing by @rhenium in #815

New Contributors

• @jaymzjulian made their first contribution in #706

Full Changelog: v3.2.0...v3.2.1

v3.1.1

What's Changed

• pkey/ec: constify by @nobu in #584
• Fix regression in do_write(s) causing significant performance issues when using large (>10meg) writes by @jaymzjulian in #706
• Backport test fixes to 3.0 by @rhenium in #751
• cipher: fix buffer overflow in Cipher#update by @rhenium in #717
• Handle missing content in PKCS7 by @rhenium in #752
• Remove "gemspec" from Gemfile by @rhenium in #768
• asn1: fix ObjectId#== by @rhenium in #792
• x509: fix handling of multiple URIs in Certificate#crl_uris by @rhenium in #776
• cipher: make output buffer String independent by @rhenium in #824

New Contributors

• @jaymzjulian made their first contribution in #706

Full Changelog: v3.1.0...v3.1.1