From: "nagachika (Tomoyuki Chikanaga) via ruby-core" <ruby-core@...>
Date: 2023-06-24T08:00:52+00:00
Subject: [ruby-core:114017] [Ruby master Bug#19307] Fix `OpenSSL::X509::CertificateError: invalid digest` on CentOS 9 / RHEL 9

Issue #19307 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: REQUIRED to 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE

ruby_3_2 9fca561980c6d024229d72600180b20f3f77536f merged revision(s) cd5e6cc0ea48353c88d921b885b552dc76da255c,bbf54ec334fe2edd7669a944d88d17efde49a412.

----------------------------------------
Bug #19307: Fix `OpenSSL::X509::CertificateError: invalid digest` on CentOS 9 / RHEL 9
https://bugs.ruby-lang.org/issues/19307#change-103679

* Author: vo.x (Vit Ondruch)
* Status: Closed
* Priority: Normal
* ruby -v: ruby 3.2.0 (2022-12-25 revision a528908271) [x86_64-linux]
* Backport: 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
----------------------------------------
CentOS 9 / RHEL 9 requires prohibits SHA1 for signing purposes, therefore these specs fail:

~~~
1)
OpenSSL::X509::Name.verify returns true for valid certificate ERROR
OpenSSL::X509::CertificateError: invalid digest
/builddir/build/BUILD/ruby-3.2.0/spec/ruby/library/openssl/x509/name/verify_spec.rb:15:in `sign'
/builddir/build/BUILD/ruby-3.2.0/spec/ruby/library/openssl/x509/name/verify_spec.rb:15:in `block (2 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.2.0/spec/ruby/library/openssl/x509/name/verify_spec.rb:4:in `<top (required)>'
2)
OpenSSL::X509::Name.verify returns false for an expired certificate ERROR
OpenSSL::X509::CertificateError: invalid digest
/builddir/build/BUILD/ruby-3.2.0/spec/ruby/library/openssl/x509/name/verify_spec.rb:31:in `sign'
/builddir/build/BUILD/ruby-3.2.0/spec/ruby/library/openssl/x509/name/verify_spec.rb:31:in `block (2 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.2.0/spec/ruby/library/openssl/x509/name/verify_spec.rb:4:in `<top (required)>'
~~~

I have opened PR [here](https://github.com/ruby/spec/pull/990), but I'd also like see this backported into 3.2, hence also reporting here.



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/