openssl support

[neurosnap]

Thanks for the library! I'm not able to get openssl to work, does anyone have any thoughts?

{
  description = "development environment";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs-ruby.url = "github:bobvanderlinden/nixpkgs-ruby";
    nixpkgs-ruby.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, flake-utils, nixpkgs-ruby }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        ruby = nixpkgs-ruby.lib.mkRuby { inherit pkgs; rubyVersion = "2.2.10"; };
        bundler = pkgs.buildRubyGem rec {
          inherit ruby;
          name = "${gemName}-${version}";
          gemName = "bundler";
          version = "1.17.3";
          source = {
            remotes = ["https://rubygems.org"];
            sha256 = "sha256-vEv3W1SLJ0UaqfRDsYxGpzndIq1596X5C0hTdqZ9w1I=";
            type = "gem";
          };
        };
      in {
        devShell = pkgs.mkShell {
          buildInputs = [
            ruby
            bundler
          ];
        };
      });
}

Could not load OpenSSL.
You must recompile Ruby with OpenSSL support or change the sources in your Gemfile from 'https' to 'http'. Instructions for compiling with OpenSSL using RVM are available at rvm.io/packages/openssl.

[purcell]

With the older Rubies, they don't work with openssl >= 1.0, and nixpkgs now defaults to 1.1, which is not backwards-compatible. I think what happens is that the configure script of the ruby therefore fails to detect a working openssl, and quietly skips building it.

A couple of years ago, before the switch in nix file structure to use flakes, I worked around this by overriding the openssl version, but since then the older openssl has been completely removed from nixpkgs. Patches exist for the old Ruby code so that they will support the newer openssl, but I can't for the life of me figure out how to include them in the rubies built by mkRuby. Any pointers, @bobvanderlinden?

[bobvanderlinden]

You can use overrideAttrs. Something like:

(mkRuby { inherit pkgs; rubyVersion = "1.2.3"; }).overrideAttrs {
  patches = [ ./mypatch.patch ];
}

That said, I'm interested in those patches. I could add them in the repo for specific ranges of versions. Do you have a link where I can find them?

[purcell]

Huh, thanks, I thought I'd tried exactly that, but must have messed something up. 🙏

I'll report back when I've had chance to fiddle with this and see if I can confirm a working patch.

[purcell]

BTW, this PR to RVM has a comprehensive set of openssl compatibility patches for various versions of Ruby: rvm/rvm#5248

The patch for 2.2.x there is the same as one I found elsewhere, but doesn't seem to apply cleanly to 2.2.10 via nixpkgs-ruby, so I need to look into whether it just needs more fuzziness, or some actual edits. I can see value in incorporating these patches here — otherwise I think any Ruby < 2.4 will fail to have openssl support.

I had to do something similar when assembling a set of old Emacs versions for CI testing (https://github.com/purcell/nix-emacs-ci/) — to just satisfy basic usability with modern nixpkgs, a few small compatibility/backport patches were the practical choice.

[domenkozar]

Fixed in master?

[purcell]

Fixed in master?

No, I think that's a separate issue: it seems to fix Ruby 3 not building with OpenSSL > 1.1.

This particular report is about Ruby < 2.4 not building with OpenSSL > 1.0, which is still the case.

[bobvanderlinden]

This problem shouldn't happen anymore. In #23, overrides were introduced that allows making changes to the Ruby derivation based on version ranges. OpenSSL1.1 is now only applied to those versions that failed to build otherwise. In addition, there is now CI running that check whether versions are still able to build.

Could you check whether this is still a problem for you?

[purcell]

@bobvanderlinden Could you clarify what you'd expect to be different now? Even without #23, the old versions built — they just silently had no OpenSSL support, because the unpatched source isn't compatible with any OpenSSL available in nixpkgs.

[bobvanderlinden]

Could you clarify what you'd expect to be different now?

I see what you mean. Older Ruby versions are expecting OpenSSL 1.0 and do not support OpenSSL 1.1 nor OpenSSL 3.0. OpenSSL 1.0 is not in nixpkgs anymore, so the Ruby source needs to be patched.

#23 merely makes sure Ruby versions that did not support OpenSSL 3.0 would use OpenSSL 1.1.

rvm/rvm#5248 does look like the right solution. Might be good to wait for it to be merged before trying to apply it to all applicable Ruby versions.

[purcell]

Yes, exactly. In practice, as I noted above, the patch in that RVM PR for Ruby 2.2.x didn't apply to 2.2.10 when I tried it, so I'm not sure I hold out much hope that a working set of patches is viable. (Perhaps I messed something up, but I don't think so.)

[trevorfoxsoft]

I'm strangely having this error despite being on Ruby 3.0.4. My devenv.nix is below, and extremely basic. I've tried adding openssl to the package list to no avail. What's going on here?

{ pkgs, ... }:

{
  languages.ruby.enable = true;
  languages.ruby.versionFile = ./.ruby-version;

  # Packages to install
  packages = with pkgs; [
    git
  ];

  services.postgres.enable = true;
}

[bobvanderlinden]

@trevorfoxsoft could you also post your devenv.yaml?

[trevorfoxsoft]

@trevorfoxsoft could you also post your devenv.yaml?

Of course, it's just as bare:

inputs:
  nixpkgs:
    url: github:NixOS/nixpkgs/nixpkgs-unstable
  nixpkgs-ruby:
    url: github:bobvanderlinden/nixpkgs-ruby

[trevorfoxsoft]

Still struggling with this one—is there any more info I can provide or any suggestions to explore?

[socherbyc]

@trevorfoxsof For now, I am overriding openssl version:

{ pkgs, nixpkgs-ruby, ... }:

{
  languages.ruby.enable = true;
  languages.ruby.package = (nixpkgs-ruby.lib.packageFromRubyVersionFile {
    file = ./.ruby-version;
    system = pkgs.stdenv.system;
  }).override { openssl = pkgs.openssl_1_1; };

  # Packages to install
  packages = with pkgs; [
    git
  ];

  services.postgres.enable = true;
}

[bobvanderlinden]

#71 fixes the issue with Ruby 3.0.x not having openssl available. There are now tests available that check for require 'openssl' succeeding.

OpenSSL is still a problem for Ruby <2.4. The patches for RVM were merged, so I thought I'd give them a try as well. It did not really help. There seems to still be a problem during configurePhase. configure outputs Failed to configure openssl. It will not be installed., but no further information. I haven't bothered looking into this too much, as these versions seem insecure.

I want to suggest to look into https://lazamar.co.uk/nix-versions/?channel=nixpkgs-unstable&package=ruby for really old Ruby versions. With an older nixpkgs it'll use openssl 1.0 or even 0.9.x.