ssl: allow SSLContext#set_params to be used from non-main Ractors

rhenium · rhenium · commit 3d5271327c75 · 2025-10-08T23:15:31.000+09:00
Freeze OpenSSL::SSL::SSLContext::DEFAULT_PARAMS so that it becomes
Ractor-shareable.

Also, prepare a new OpenSSL::X509::Store in Ractor-local storage, if
called from a non-main Ractor. OpenSSL::X509::Store currently is not a
shareable object.
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
@@ -66,9 +66,10 @@ class SSLContext
             AES256-SHA256
             AES128-SHA
             AES256-SHA
-          }.join(":"),
+          }.join(":").freeze,
         )
       end
+      DEFAULT_PARAMS.freeze
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
       DEFAULT_CERT_STORE.set_default_paths
@@ -114,7 +115,14 @@ def set_params(params={})
         params.each{|name, value| self.__send__("#{name}=", value) }
         if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
           unless self.ca_file or self.ca_path or self.cert_store
-            self.cert_store = DEFAULT_CERT_STORE
+            if not defined?(Ractor) or Ractor.current == Ractor.main
+              self.cert_store = DEFAULT_CERT_STORE
+            else
+              self.cert_store = Ractor.current[:__openssl_default_store__] ||=
+                OpenSSL::X509::Store.new.tap { |store|
+                  store.set_default_paths
+                }
+            end
           end
         end
         return params
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -2317,6 +2317,50 @@ def test_export_keying_material
     end
   end
 
+  # OpenSSL::Buffering requires $/ accessible from non-main Ractors (Ruby 3.5)
+  # https://bugs.ruby-lang.org/issues/21109
+  #
+  # Hangs on Windows
+  # https://bugs.ruby-lang.org/issues/21537
+  if respond_to?(:ractor) && RUBY_VERSION >= "3.5" && RUBY_PLATFORM !~ /mswin|mingw/
+    ractor
+    def test_ractor_client
+      start_server { |port|
+        s = Ractor.new(port, @ca_cert) { |port, ca_cert|
+          sock = TCPSocket.new("127.0.0.1", port)
+          ctx = OpenSSL::SSL::SSLContext.new
+          ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          ctx.cert_store = OpenSSL::X509::Store.new.tap { |store|
+            store.add_cert(ca_cert)
+          }
+          begin
+            ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+            ssl.connect
+            ssl.puts("abc")
+            ssl.gets
+          ensure
+            ssl.close
+            sock.close
+          end
+        }.value
+        assert_equal("abc\n", s)
+      }
+    end
+
+    ractor
+    def test_ractor_set_params
+      # We cannot actually test default stores in the test suite as it depends
+      # on the environment, but at least check that it does not raise an
+      # exception
+      ok = Ractor.new {
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.set_params
+        ctx.cert_store.kind_of?(OpenSSL::X509::Store)
+      }.value
+      assert(ok, "ctx.cert_store is an instance of OpenSSL::X509::Store")
+    end
+  end
+
   private
 
   def server_connect(port, ctx = nil)
