import ruby-3.0.7-162.el9_4

3 months ago · ab382aa31d
parent be15eb9b91
commit ab382aa31d
27 changed files with 960 additions and 126 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/ruby-3.0.4.tar.xz
+SOURCES/ruby-3.0.7.tar.xz
--- a/.ruby.metadata
+++ b/.ruby.metadata
@ -1 +1 @@
-14461adca874d42a06a11851029dec877d9d28de SOURCES/ruby-3.0.4.tar.xz
+efc97e609868a19f89653068c4915c162117b721 SOURCES/ruby-3.0.7.tar.xz
--- a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch
+++ b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch
@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index d261ea57b5..3c13076b82 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3240,6 +3240,11 @@ AS_IF([test ${multiarch+set}], [
+@@ -3267,6 +3267,11 @@ AS_IF([test ${multiarch+set}], [
 ])
 archlibdir='${libdir}/${arch}'
--- a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch
+++ b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch
@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
 index c42436c23d..d261ea57b5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3881,7 +3881,8 @@ AS_CASE(["$ruby_version_dir_name"],
+@@ -3913,7 +3913,8 @@ AS_CASE(["$ruby_version_dir_name"],
 ruby_version_dir=/'${ruby_version_dir_name}'
 if test -z "${ruby_version_dir_name}"; then
--- a/SOURCES/ruby-2.1.0-always-use-i386.patch
+++ b/SOURCES/ruby-2.1.0-always-use-i386.patch
@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index 3c13076b82..93af30321d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3945,6 +3945,8 @@ AC_SUBST(vendorarchdir)dnl
+@@ -3977,6 +3977,8 @@ AC_SUBST(vendorarchdir)dnl
 AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
 AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
--- a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch
+++ b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch
@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
 index 93af30321d..bc13397e0e 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3917,6 +3917,10 @@ AC_ARG_WITH(vendorarchdir,
+@@ -3949,6 +3949,10 @@ AC_ARG_WITH(vendorarchdir,
             [vendorarchdir=$withval],
             [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
 AS_IF([test "${LOAD_RELATIVE+set}"], [
     AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
     RUBY_EXEC_PREFIX=''
-@@ -3941,6 +3945,7 @@ AC_SUBST(sitearchdir)dnl
+@@ -3973,6 +3977,7 @@ AC_SUBST(sitearchdir)dnl
 AC_SUBST(vendordir)dnl
 AC_SUBST(vendorlibdir)dnl
 AC_SUBST(vendorarchdir)dnl
--- a/SOURCES/ruby-2.3.0-ruby_version.patch
+++ b/SOURCES/ruby-2.3.0-ruby_version.patch
@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
 index 80b137e380..63cd3b4f8b 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3832,9 +3832,6 @@ AS_CASE(["$target_os"],
+@@ -3864,9 +3864,6 @@ AS_CASE(["$target_os"],
     rubyw_install_name='$(RUBYW_INSTALL_NAME)'
     ])
@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
 AC_ARG_WITH(rubyarchprefix,
 	    AS_HELP_STRING([--with-rubyarchprefix=DIR],
-@@ -3857,56 +3854,62 @@ AC_ARG_WITH(ridir,
+@@ -3889,56 +3886,62 @@ AC_ARG_WITH(ridir,
 AC_SUBST(ridir)
 AC_SUBST(RI_BASE_NAME)
@ -120,7 +120,7 @@ index 80b137e380..63cd3b4f8b 100644
 AS_IF([test "${LOAD_RELATIVE+set}"], [
     AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
-@@ -3923,6 +3926,7 @@ AC_SUBST(sitearchincludedir)dnl
+@@ -3955,6 +3958,7 @@ AC_SUBST(sitearchincludedir)dnl
 AC_SUBST(arch)dnl
 AC_SUBST(sitearch)dnl
 AC_SUBST(ruby_version)dnl
--- a/SOURCES/ruby-2.7.0-Initialize-ABRT-hook.patch
+++ b/SOURCES/ruby-2.7.0-Initialize-ABRT-hook.patch
@ -57,7 +57,7 @@ diff --git a/ruby.c b/ruby.c
 index 60c57d6259..1eec16f2c8 100644
 --- a/ruby.c
 +++ b/ruby.c
-@@ -1489,10 +1489,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt)
+@@ -1501,10 +1501,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt)
 void Init_builtin_features(void);
--- a/SOURCES/ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch
+++ b/SOURCES/ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch
@ -1,84 +0,0 @@
 From 202ff1372a40a8adf9aac74bfe8a39141b0c57e5 Mon Sep 17 00:00:00 2001
 From: Kazuki Yamaguchi <k@rhe.jp>
 Date: Mon, 27 Sep 2021 00:38:38 +0900
 Subject: [PATCH] ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3
 Ruby/OpenSSL 2.1.x and 2.2.x will not support OpenSSL 3.0 API. Let's
 make extconf.rb explicitly check the version number to be within the
 acceptable range, since it will not compile anyway.
 Reference: https://bugs.ruby-lang.org/issues/18192
 ---
 ext/openssl/extconf.rb | 43 ++++++++++++++++++++++++------------------
 1 file changed, 25 insertions(+), 18 deletions(-)
 diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 264130bb..7e817ae2 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
@@ -33,9 +33,6 @@
   have_library("ws2_32")
 end
 -Logging::message "=== Checking for required stuff... ===\n"
 -result = pkg_config("openssl") && have_header("openssl/ssl.h")
 -
 if $mingw
   append_cflags '-D_FORTIFY_SOURCE=2'
   append_ldflags '-fstack-protector'
@@ -92,19 +89,33 @@ def find_openssl_library
   return false
 end
 -unless result
 -  unless find_openssl_library
 -    Logging::message "=== Checking for required stuff failed. ===\n"
 -    Logging::message "Makefile wasn't created. Fix the errors above.\n"
 -    raise "OpenSSL library could not be found. You might want to use " \
 -      "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
 -      "is installed."
 -  end
 +Logging::message "=== Checking for required stuff... ===\n"
 +pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h")
 +
 +if !pkg_config_found && !find_openssl_library
 +  Logging::message "=== Checking for required stuff failed. ===\n"
 +  Logging::message "Makefile wasn't created. Fix the errors above.\n"
 +  raise "OpenSSL library could not be found. You might want to use " \
 +    "--with-openssl-dir=<dir> option to specify the prefix where OpenSSL " \
 +    "is installed."
 end
 -unless checking_for("OpenSSL version is 1.0.1 or later") {
 -    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") }
 -  raise "OpenSSL >= 1.0.1 or LibreSSL is required"
 +version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
 +  is_libressl = true
 +  checking_for("LibreSSL version >= 2.5.0") {
 +    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x20500000L", "openssl/opensslv.h") }
 +else
 +  checking_for("OpenSSL version >= 1.0.1 and < 3.0.0") {
 +    try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") &&
 +    !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
 +end
 +unless version_ok
 +  raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
 +end
 +
 +# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
 +if is_libressl && ($mswin || $mingw)
 +  $defs.push("-DNOCRYPT")
 end
 Logging::message "=== Checking for OpenSSL features... ===\n"
@@ -116,10 +127,6 @@ def find_openssl_library
   have_func("ENGINE_load_#{name}()", "openssl/engine.h")
 }
 -if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h")
 -  $defs.push("-DNOCRYPT")
 -end
 -
 # added in 1.0.2
 have_func("EC_curve_nist2nid")
 have_func("X509_REVOKED_dup")
--- a/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch
+++ b/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch
@ -123,7 +123,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
                 RB_DEBUG_COUNTER_INC(cc_invalidate_negative);
             }
-@@ -1023,6 +1025,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
+@@ -1030,6 +1032,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
 {
     struct rb_id_table *mtbl;
     const rb_callable_method_entry_t *cme;
@ -131,7 +131,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
     if (me) {
         if (me->defined_class == 0) {
-@@ -1032,7 +1035,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
+@@ -1039,7 +1042,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
             mtbl = RCLASS_CALLABLE_M_TBL(defined_class);
@ -141,7 +141,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
                 RB_DEBUG_COUNTER_INC(mc_cme_complement_hit);
                 VM_ASSERT(callable_method_entry_p(cme));
                 VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme));
-@@ -1076,9 +1080,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
+@@ -1083,9 +1087,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
     ASSERT_vm_locking();
     struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
@ -154,7 +154,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
         VM_ASSERT(vm_ccs_p(ccs));
         if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) {
-@@ -1104,12 +1109,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
+@@ -1111,12 +1116,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
     struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
     struct rb_class_cc_entries *ccs;
@ -170,7 +170,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
         VM_ASSERT(ccs->cme == cme);
     }
     else {
-@@ -1123,8 +1130,12 @@ negative_cme(ID mid)
+@@ -1130,8 +1137,12 @@ negative_cme(ID mid)
 {
     rb_vm_t *vm = GET_VM();
     const rb_callable_method_entry_t *cme;
--- a/SOURCES/ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch
+++ b/SOURCES/ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch
@ -52,7 +52,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 693e55cd9..063498a76 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -141,8 +141,7 @@ def find_openssl_library
+@@ -148,8 +148,7 @@ def find_openssl_library
 have_func("BN_GENCB_get_arg")
 have_func("EVP_MD_CTX_new")
 have_func("EVP_MD_CTX_free")
--- a/SOURCES/ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
+++ b/SOURCES/ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch
@ -58,7 +58,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 17d93443fc..09cae05b72 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -165,7 +165,7 @@ def find_openssl_library
+@@ -172,7 +172,7 @@ def find_openssl_library
 have_func("TS_STATUS_INFO_get0_status")
 have_func("TS_STATUS_INFO_get0_text")
 have_func("TS_STATUS_INFO_get0_failure_info")
@ -67,7 +67,7 @@ index 17d93443fc..09cae05b72 100644
 have_func("TS_VERIFY_CTX_set_store")
 have_func("TS_VERIFY_CTX_add_flags")
 have_func("TS_RESP_CTX_set_time_cb")
-@@ -174,6 +174,9 @@ def find_openssl_library
+@@ -181,6 +181,9 @@ def find_openssl_library
 # added in 1.1.1
 have_func("EVP_PKEY_check")
@ -164,7 +164,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 98f96afe..842b7f5b 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -177,6 +177,7 @@ def find_openssl_library
+@@ -184,6 +184,7 @@ def find_openssl_library
 # added in 3.0.0
 have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
@ -249,7 +249,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 842b7f5b..d9d34b7c 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -178,6 +178,7 @@ def find_openssl_library
+@@ -185,6 +185,7 @@ def find_openssl_library
 # added in 3.0.0
 have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")
 have_func("EVP_MD_CTX_get0_md")
--- a/SOURCES/ruby-3.1.0-Use-EVP-API-in-more-places.patch
+++ b/SOURCES/ruby-3.1.0-Use-EVP-API-in-more-places.patch
@ -698,7 +698,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index b3c6647faf..17d93443fc 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -172,6 +172,9 @@ def find_openssl_library
+@@ -179,6 +179,9 @@ def find_openssl_library
 have_func("EVP_PBE_scrypt")
 have_func("SSL_CTX_set_post_handshake_auth")
--- a/SOURCES/ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch
+++ b/SOURCES/ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch
@ -965,7 +965,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 693e55cd97..b3c6647faf 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -136,9 +136,6 @@ def find_openssl_library
+@@ -143,9 +143,6 @@ def find_openssl_library
   $defs.push("-DHAVE_OPAQUE_OPENSSL")
 end
 have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
--- a/SOURCES/ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch
+++ b/SOURCES/ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch
@ -13,7 +13,7 @@ diff --git a/configure.ac b/configure.ac
 index 2dcebdde9f..b1b190004d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1944,6 +1944,7 @@ AC_CHECK_FUNCS(memmem)
+@@ -1952,6 +1952,7 @@ AC_CHECK_FUNCS(memmem)
 AC_CHECK_FUNCS(mkfifo)
 AC_CHECK_FUNCS(mknod)
 AC_CHECK_FUNCS(mktime)
@ -21,7 +21,7 @@ index 2dcebdde9f..b1b190004d 100644
 AC_CHECK_FUNCS(openat)
 AC_CHECK_FUNCS(pipe2)
 AC_CHECK_FUNCS(poll)
-@@ -2666,6 +2667,21 @@ main(int argc, char *argv[])
+@@ -2674,6 +2675,21 @@ main(int argc, char *argv[])
 	rb_cv_fork_with_pthread=yes)])
     test x$rb_cv_fork_with_pthread = xyes || AC_DEFINE(CANNOT_FORK_WITH_PTHREAD)
 ])
--- a/SOURCES/ruby-3.1.2-ossl-tests-replace-sha1.patch
+++ b/SOURCES/ruby-3.1.2-ossl-tests-replace-sha1.patch
@ -2,7 +2,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index fedcb93..53ad621 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
-@@ -174,6 +174,7 @@ have_func("SSL_CTX_set_post_handshake_auth")
+@@ -181,6 +181,7 @@ have_func("SSL_CTX_set_post_handshake_auth")
 # added in 1.1.1
 have_func("EVP_PKEY_check")
--- a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
+++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
@ -0,0 +1,32 @@
 From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001
 From: Jun Aruga <jaruga@redhat.com>
 Date: Thu, 13 Apr 2023 17:28:27 +0200
 Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in
 the tests.
 We want to run the unit tests in the FIPS mode too.
 https://github.com/ruby/openssl/commit/ab92baff34
 ---
 test/openssl/utils.rb | 5 -----
 1 file changed, 5 deletions(-)
 diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
 index 4ebcb9837b..8a0be0d154 100644
 --- a/test/openssl/utils.rb
 +++ b/test/openssl/utils.rb
@@ -1,11 +1,6 @@
 # frozen_string_literal: true
 begin
   require "openssl"
 -
 -  # Disable FIPS mode for tests for installations
 -  # where FIPS mode would be enabled by default.
 -  # Has no effect on all other installations.
 -  OpenSSL.fips_mode=false
 rescue LoadError
 end
 -- 
 2.41.0
--- a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
+++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
@ -0,0 +1,73 @@
 From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001
 From: Kazuki Yamaguchi <k@rhe.jp>
 Date: Tue, 29 Aug 2023 19:46:02 +0900
 Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the
 default DH group parameters
 In TLS 1.2 or before, if DH group parameters for DHE are not supplied
 with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
 self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
 bit length DH-key", 2016-01-15) as the fallback.
 While there is no known weakness in the current parameters, it would be
 a good idea to switch to pre-defined, more well audited parameters.
 This also allows the fallback to work in the FIPS mode.
 The PEM encoding was derived with:
 	# RFC 7919 Appendix A.1. ffdhe2048
 	print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
 	    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
 	    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
 	    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
 	    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
 	    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
 	    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
 	    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
 	    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
 	    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
 	    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
 	    886B4238 61285C97 FFFFFFFF FFFFFFFF
 	END
 https://github.com/ruby/openssl/commit/a5527cb4f4
 ---
 ext/openssl/lib/openssl/ssl.rb | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)
 diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
 index ea8bb2a18e533..94be6ba80b894 100644
 --- a/ext/openssl/lib/openssl/ssl.rb
 +++ b/ext/openssl/lib/openssl/ssl.rb
@@ -31,21 +31,21 @@ class SSLContext
       }
       if defined?(OpenSSL::PKey::DH)
 -        DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
 +        DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
 -----BEGIN DH PARAMETERS-----
 -MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
 -JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
 -VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
 -YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
 -1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
 -7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
 +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
         _end_of_pem_
 -        private_constant :DEFAULT_2048
 +        private_constant :DH_ffdhe2048
         DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
           warn "using default DH parameters." if $VERBOSE
 -          DEFAULT_2048
 +          DH_ffdhe2048
         }
       end
--- a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
+++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
@ -0,0 +1,160 @@
 From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001
 From: Jun Aruga <jaruga@redhat.com>
 Date: Wed, 12 Apr 2023 17:15:21 +0200
 Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module.
 This is a combination of the following 2 commits. Because the combined patch is
 easy to merge.
 This is the 1st commit message:
 [ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
 This commit is a workaround to avoid the error below that the
 `OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
 ```
 $ openssl genrsa -out key.pem 4096
 $ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
 -e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
  from -e:1:in `<main>'
 ```
 The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
 doesn't apply the selection value properly if there are multiple providers, and
 a provider (e.g.  "base" provider) handles the decoder implementation, and
 another provider (e.g. "fips" provider) handles the keys.
 The workaround is to create `OSSL_DECODER_CTX` variable each time without using
 the `OSSL_DECODER_CTX_set_selection`.
 https://github.com/ruby/openssl/commit/5ff4a31621
 This is the commit message #2:
 [ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
 This is a workaround for the decoding issue in ossl_pkey_read_generic().
 The issue happens in the case that a key management provider is different from
 a decoding provider.
 Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
 to avoid the issue.
 https://github.com/ruby/openssl/commit/db688fa739
 ---
 ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 73 insertions(+), 5 deletions(-)
 diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
 index 24d0da4683..15854aeca1 100644
 --- a/ext/openssl/ossl_pkey.c
 +++ b/ext/openssl/ossl_pkey.c
@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey)
 #if OSSL_OPENSSL_PREREQ(3, 0, 0)
 # include <openssl/decoder.h>
 -EVP_PKEY *
 -ossl_pkey_read_generic(BIO *bio, VALUE pass)
 +static EVP_PKEY *
 +ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass)
 {
     void *ppass = (void *)pass;
     OSSL_DECODER_CTX *dctx;
     EVP_PKEY *pkey = NULL;
     int pos = 0, pos2;
 -    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
 +    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL,
 +                                         selection, NULL, NULL);
     if (!dctx)
         goto out;
 -    if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
 +    if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb,
 +                                             ppass) != 1)
         goto out;
     /* First check DER */
@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
             goto out;
         pos = pos2;
     }
 -
   out:
 +    OSSL_BIO_reset(bio);
     OSSL_DECODER_CTX_free(dctx);
     return pkey;
 }
 +
 +EVP_PKEY *
 +ossl_pkey_read_generic(BIO *bio, VALUE pass)
 +{
 +    EVP_PKEY *pkey = NULL;
 +    /* First check DER, then check PEM. */
 +    const char *input_types[] = {"DER", "PEM"};
 +    int input_type_num = (int)(sizeof(input_types) / sizeof(char *));
 +    /*
 +     * Non-zero selections to try to decode.
 +     *
 +     * See EVP_PKEY_fromdata(3) - Selections to see all the selections.
 +     *
 +     * This is a workaround for the decoder failing to decode or returning
 +     * bogus keys with selection 0, if a key management provider is different
 +     * from a decoder provider. The workaround is to avoid using selection 0.
 +     *
 +     * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10
 +     * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z
 +     *
 +     * See https://github.com/openssl/openssl/pull/21519 for details.
 +     *
 +     * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep
 +     * compatibility with ruby/openssl < 3.0 which decoded the following as a
 +     * private key.
 +     *
 +     *     $ openssl ecparam -name prime256v1 -genkey -outform PEM
 +     *     -----BEGIN EC PARAMETERS-----
 +     *     BggqhkjOPQMBBw==
 +     *     -----END EC PARAMETERS-----
 +     *     -----BEGIN EC PRIVATE KEY-----
 +     *     MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49
 +     *     AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj
 +     *     86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ==
 +     *     -----END EC PRIVATE KEY-----
 +     *
 +     * While the first PEM block is a proper encoding of ECParameters, thus
 +     * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return
 +     * the latter instead. Existing applications expect this behavior.
 +     *
 +     * Note that normally, the input is supposed to contain a single decodable
 +     * PEM block only, so this special handling should not create a new problem.
 +     *
 +     * Note that we need to create the OSSL_DECODER_CTX variable each time when
 +     * we use the different selection as a workaround.
 +     * See https://github.com/openssl/openssl/issues/20657 for details.
 +     */
 +    int selections[] = {
 +        EVP_PKEY_KEYPAIR,
 +        EVP_PKEY_KEY_PARAMETERS,
 +        EVP_PKEY_PUBLIC_KEY
 +    };
 +    int selection_num = (int)(sizeof(selections) / sizeof(int));
 +    int i, j;
 +
 +    for (i = 0; i < input_type_num; i++) {
 +        for (j = 0; j < selection_num; j++) {
 +            pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass);
 +            if (pkey) {
 +                goto out;
 +            }
 +        }
 +    }
 +  out:
 +    return pkey;
 +}
 #else
 EVP_PKEY *
 ossl_pkey_read_generic(BIO *bio, VALUE pass)
 -- 
 2.41.0
--- a/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
+++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
@ -0,0 +1,142 @@
 From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001
 From: Jun Aruga <jaruga@redhat.com>
 Date: Thu, 16 Mar 2023 21:36:43 +0100
 Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3.
 This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
 and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
 It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
 more, and some FIPS related APIs also were removed in OpenSSL 3.
 See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
 the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
 Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
 The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
 functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
 works with the OpenSSL installed without FIPS option.
 The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
 Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
 'false' surely in the CI. You can test the FIPS mode case by setting
 `TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
 way to get the status of the FIPS mode enabled or disabled for this purpose. I
 am afraid of the possibility that the FIPS test case is unintentionally skipped.
 I also replaced the ambiguous "returns" with "should return" in the tests.
 https://github.com/ruby/openssl/commit/c5b2bc1268
 ---
 ext/openssl/ossl.c        | 25 +++++++++++++++++++++----
 test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++----
 2 files changed, 49 insertions(+), 8 deletions(-)
 diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
 index 6c532aca94..fcf3744c65 100644
 --- a/ext/openssl/ossl.c
 +++ b/ext/openssl/ossl.c
@@ -405,7 +405,11 @@ static VALUE
 ossl_fips_mode_get(VALUE self)
 {
 -#ifdef OPENSSL_FIPS
 +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 +    VALUE enabled;
 +    enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
 +    return enabled;
 +#elif OPENSSL_FIPS
     VALUE enabled;
     enabled = FIPS_mode() ? Qtrue : Qfalse;
     return enabled;
@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self)
 static VALUE
 ossl_fips_mode_set(VALUE self, VALUE enabled)
 {
 -
 -#ifdef OPENSSL_FIPS
 +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 +    if (RTEST(enabled)) {
 +        if (!EVP_default_properties_enable_fips(NULL, 1)) {
 +            ossl_raise(eOSSLError, "Turning on FIPS mode failed");
 +        }
 +    } else {
 +        if (!EVP_default_properties_enable_fips(NULL, 0)) {
 +            ossl_raise(eOSSLError, "Turning off FIPS mode failed");
 +        }
 +    }
 +    return enabled;
 +#elif OPENSSL_FIPS
     if (RTEST(enabled)) {
 	int mode = FIPS_mode();
 	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
@@ -1185,7 +1199,10 @@ Init_openssl(void)
      * Boolean indicating whether OpenSSL is FIPS-capable or not
      */
     rb_define_const(mOSSL, "OPENSSL_FIPS",
 -#ifdef OPENSSL_FIPS
 +/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
 +#if OSSL_OPENSSL_PREREQ(3, 0, 0)
 +                    Qtrue
 +#elif OPENSSL_FIPS
 		    Qtrue
 #else
 		    Qfalse
 diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
 index 8cd474f9a3..56a12a94ce 100644
 --- a/test/openssl/test_fips.rb
 +++ b/test/openssl/test_fips.rb
@@ -4,22 +4,46 @@
 if defined?(OpenSSL)
 class OpenSSL::TestFIPS < OpenSSL::TestCase
 +  def test_fips_mode_get_is_true_on_fips_mode_enabled
 +    unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
 +      omit "Only for FIPS mode environment"
 +    end
 +
 +    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
 +      assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled"
 +    end;
 +  end
 +
 +  def test_fips_mode_get_is_false_on_fips_mode_disabled
 +    if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
 +      omit "Only for non-FIPS mode environment"
 +    end
 +
 +    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
 +      message = ".fips_mode should return false on FIPS mode disabled. " \
 +                "If you run the test on FIPS mode, please set " \
 +                "TEST_RUBY_OPENSSL_FIPS_ENABLED=true"
 +      assert OpenSSL.fips_mode == false, message
 +    end;
 +  end
 +
   def test_fips_mode_is_reentrant
     OpenSSL.fips_mode = false
     OpenSSL.fips_mode = false
   end
 -  def test_fips_mode_get
 -    return unless OpenSSL::OPENSSL_FIPS
 +  def test_fips_mode_get_with_fips_mode_set
 +    omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS
 +
     assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
       require #{__FILE__.dump}
       begin
         OpenSSL.fips_mode = true
 -        assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
 +        assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true"
         OpenSSL.fips_mode = false
 -        assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
 +        assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false"
       rescue OpenSSL::OpenSSLError
         pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping"
       end
 -- 
 2.41.0
--- a/SOURCES/ruby-3.3.0-test-file-utime.patch
+++ b/SOURCES/ruby-3.3.0-test-file-utime.patch
@ -0,0 +1,36 @@
 From 8d1109c03bacc952b6218af2e4ae9b74c9855273 Mon Sep 17 00:00:00 2001
 From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
 Date: Wed, 22 Mar 2023 16:10:06 +0900
 Subject: [PATCH] Added assertion values for Amazon Linux 2023
 ---
 spec/ruby/core/file/utime_spec.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/spec/ruby/core/file/utime_spec.rb b/spec/ruby/core/file/utime_spec.rb
 index a191e2924037c..0b0e4f979c935 100644
 --- a/spec/ruby/core/file/utime_spec.rb
 +++ b/spec/ruby/core/file/utime_spec.rb
@@ -72,17 +72,19 @@
   platform_is :linux do
     platform_is wordsize: 64 do
 -      it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19)" do
 +      it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19 or 2486-07-02)" do
         # https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Inode_Timestamps
         # "Therefore, timestamps should not overflow until May 2446."
         # https://lwn.net/Articles/804382/
         # "On-disk timestamps hitting the y2038 limit..."
         # The problem seems to be being improved, but currently it actually fails on XFS on RHEL8
         # https://rubyci.org/logs/rubyci.s3.amazonaws.com/rhel8/ruby-master/log/20201112T123004Z.fail.html.gz
 +        # Amazon Linux 2023 returns 2486-07-02 in this example
 +        # http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20230322T063004Z.fail.html.gz
         time = Time.at(1<<44)
         File.utime(time, time, @file1)
 -        [559444, 2446, 2038].should.include? File.atime(@file1).year
 -        [559444, 2446, 2038].should.include? File.mtime(@file1).year
 +        [559444, 2486, 2446, 2038].should.include? File.atime(@file1).year
 +        [559444, 2486, 2446, 2038].should.include? File.mtime(@file1).year
       end
     end
   end
--- a/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch
+++ b/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch
@ -0,0 +1,28 @@
 From 1816c142a4d66a75c23ccf6fd89a06cbe422e34f Mon Sep 17 00:00:00 2001
 From: "NARUSE, Yui" <nurse@users.noreply.github.com>
 Date: Sat, 3 Feb 2024 22:35:44 +0900
 Subject: [PATCH] Fix test session reuse but expire (#9824)
 * OpenSSL 3.2.1 30 Jan 2024 is also broken
 Import 45064610725ddd81a5ea3775da35aa46985bc789 from ruby_3_3 branch
 tentatively.
 ---
 test/net/http/test_https.rb | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
 index 7b97e39586..aef748dfa0 100644
 --- a/test/net/http/test_https.rb
 +++ b/test/net/http/test_https.rb
@@ -178,6 +178,7 @@ def test_session_reuse
   def test_session_reuse_but_expire
     # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
     skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
 +    omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 3.2.')
     http = Net::HTTP.new("localhost", config("port"))
     http.use_ssl = true
 -- 
 2.44.0
--- a/SOURCES/ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
+++ b/SOURCES/ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
@ -0,0 +1,256 @@
 From d3933fc753187a055a4904af82f5f3794c88c416 Mon Sep 17 00:00:00 2001
 From: Sorah Fukumori <her@sorah.jp>
 Date: Mon, 1 Jan 2024 20:45:54 +0900
 Subject: [PATCH] [ruby/net-http] Renew test certificates
 The private key is replaced with a public known test key published at
 [RFC 9500].
 Also lifetime has been extended to 10 years from 4 years.
 [RFC 9500]: https://www.rfc-editor.org/rfc/rfc9500.html
 https://github.com/ruby/net-http/commit/4ab6c4a500
 ---
 test/net/fixtures/Makefile   |  6 +--
 test/net/fixtures/cacert.pem | 44 ++++++++--------
 test/net/fixtures/server.crt | 99 +++++++-----------------------------
 test/net/fixtures/server.key | 55 ++++++++++----------
 4 files changed, 71 insertions(+), 133 deletions(-)
 diff --git a/test/net/fixtures/Makefile b/test/net/fixtures/Makefile
 index b2bc9c7368ee2..88c232e3b6c16 100644
 --- a/test/net/fixtures/Makefile
 +++ b/test/net/fixtures/Makefile
@@ -5,11 +5,11 @@ regen_certs:
 	make server.crt
 cacert.pem: server.key
 -	openssl req -new -x509 -days 1825 -key server.key -out cacert.pem -text -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org"
 +	openssl req -new -x509 -days 3650 -key server.key -out cacert.pem -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org"
 server.csr:
 -	openssl req -new -key server.key -out server.csr -text -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost"
 +	openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost"
 server.crt: server.csr cacert.pem
 -	openssl x509 -days 1825 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -text -out server.crt
 +	openssl x509 -days 3650 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -out server.crt
 	rm server.csr
 diff --git a/test/net/fixtures/cacert.pem b/test/net/fixtures/cacert.pem
 index f623bd62ed375..24c83f1c65225 100644
 --- a/test/net/fixtures/cacert.pem
 +++ b/test/net/fixtures/cacert.pem
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
 -MIID7TCCAtWgAwIBAgIJAIltvxrFAuSnMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
 -VQQGEwJKUDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkx
 -FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0Ex
 -JTAjBgkqhkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwHhcNMTkwMTAy
 -MDI1ODI4WhcNMjQwMTAxMDI1ODI4WjCBjDELMAkGA1UEBhMCSlAxEDAOBgNVBAgM
 -B1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQKDA5SdWJ5IENv
 -cmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZIhvcNAQkBFhZz
 -ZWN1cml0eUBydWJ5LWxhbmcub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
 -CgKCAQEAznlbjRVhz1NlutHVrhcGnK8W0qug2ujKXv1njSC4U6nJF6py7I9EeehV
 -SaKePyv+I9z3K1LnfUHOtUbdwdKC77yN66A6q2aqzu5q09/NSykcZGOIF0GuItYI
 -3nvW3IqBddff2ffsyR+9pBjfb5AIPP08WowF9q4s1eGULwZc4w2B8PFhtxYANd7d
 -BvGLXFlcufv9tDtzyRi4t7eqxCRJkZQIZNZ6DHHIJrNxejOILfHLarI12yk8VK6L
 -2LG4WgGqyeePiRyd1o1MbuiAFYqAwpXNUbRKg5NaZGwBHZk8UZ+uFKt1QMBURO5R
 -WFy1c349jbWszTqFyL4Lnbg9HhAowQIDAQABo1AwTjAdBgNVHQ4EFgQU9tEiKdU9
 -I9derQyc5nWPnc34nVMwHwYDVR0jBBgwFoAU9tEiKdU9I9derQyc5nWPnc34nVMw
 -DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAxj7F/u3C3fgq24N7hGRA
 -of7ClFQxGmo/IGT0AISzW3HiVYiFaikKhbO1NwD9aBpD8Zwe62sCqMh8jGV/b0+q
 -aOORnWYNy2R6r9FkASAglmdF6xn3bhgGD5ls4pCvcG9FynGnGc24g6MrjFNrBYUS
 -2iIZsg36i0IJswo/Dy6HLphCms2BMCD3DeWtfjePUiTmQHJo6HsQIKP/u4N4Fvee
 -uMBInei2M4VU74fLXbmKl1F9AEX7JDP3BKSZG19Ch5pnUo4uXM1uNTGsi07P4Y0s
 -K44+SKBC0bYEFbDK0eQWMrX3kIhkPxyIWhxdq9/NqPYjShuSEAhA6CSpmRg0pqc+
 -mA==
 +MIID+zCCAuOgAwIBAgIUGMvHl3EhtKPKcgc3NQSAYfFuC+8wDQYJKoZIhvcNAQEL
 +BQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRQwEgYDVQQHDAtN
 +YXR6LWUgY2l0eTEXMBUGA1UECgwOUnVieSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1
 +YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJARYWc2VjdXJpdHlAcnVieS1sYW5nLm9y
 +ZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEyMjkxMTQ3MjNaMIGMMQswCQYDVQQGEwJK
 +UDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkxFzAVBgNV
 +BAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0ExJTAjBgkq
 +hkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwggEiMA0GCSqGSIb3DQEB
 +AQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI
 ++1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0f
 +qXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0
 +yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIe
 +NWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1
 +JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMBAAGjUzBRMB0GA1Ud
 +DgQWBBSJGVleDvFp9cu9R+E0/OKYzGkwkTAfBgNVHSMEGDAWgBSJGVleDvFp9cu9
 +R+E0/OKYzGkwkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBl
 +8GLB8skAWlkSw/FwbUmEV3zyqu+p7PNP5YIYoZs0D74e7yVulGQ6PKMZH5hrZmHo
 +orFSQU+VUUirG8nDGj7Rzce8WeWBxsaDGC8CE2dq6nC6LuUwtbdMnBrH0LRWAz48
 +jGFF3jHtVz8VsGfoZTZCjukWqNXvU6hETT9GsfU+PZqbqcTVRPH52+XgYayKdIbD
 +r97RM4X3+aXBHcUW0b76eyyi65RR/Xtvn8ioZt2AdX7T2tZzJyXJN3Hupp77s6Ui
 +AZR35SToHCZeTZD12YBvLBdaTPLZN7O/Q/aAO9ZiJaZ7SbFOjz813B2hxXab4Fob
 +2uJX6eMWTVxYK5D4M9lm
 -----END CERTIFICATE-----
 diff --git a/test/net/fixtures/server.crt b/test/net/fixtures/server.crt
 index 5ca78a6d146a0..5d2923795dabc 100644
 --- a/test/net/fixtures/server.crt
 +++ b/test/net/fixtures/server.crt
@@ -1,82 +1,21 @@
 -Certificate:
 -    Data:
 -        Version: 3 (0x2)
 -        Serial Number: 2 (0x2)
 -    Signature Algorithm: sha256WithRSAEncryption
 -        Issuer: C=JP, ST=Shimane, L=Matz-e city, O=Ruby Core Team, CN=Ruby Test CA/emailAddress=security@ruby-lang.org
 -        Validity
 -            Not Before: Jan  2 03:27:13 2019 GMT
 -            Not After : Jan  1 03:27:13 2024 GMT
 -        Subject: C=JP, ST=Shimane, O=Ruby Core Team, OU=Ruby Test, CN=localhost
 -        Subject Public Key Info:
 -            Public Key Algorithm: rsaEncryption
 -                Public-Key: (2048 bit)
 -                Modulus:
 -                    00:e8:da:9c:01:2e:2b:10:ec:49:cd:5e:07:13:07:
 -                    9c:70:9e:c6:74:bc:13:c2:e1:6f:c6:82:fd:e3:48:
 -                    e0:2c:a5:68:c7:9e:42:de:60:54:65:e6:6a:14:57:
 -                    7a:30:d0:cc:b5:b6:d9:c3:d2:df:c9:25:97:54:67:
 -                    cf:f6:be:5e:cb:8b:ee:03:c5:e1:e2:f9:e7:f7:d1:
 -                    0c:47:f0:b8:da:33:5a:ad:41:ad:e7:b5:a2:7b:b7:
 -                    bf:30:da:60:f8:e3:54:a2:bc:3a:fd:1b:74:d9:dc:
 -                    74:42:e9:29:be:df:ac:b4:4f:eb:32:f4:06:f1:e1:
 -                    8c:4b:a8:8b:fb:29:e7:b1:bf:1d:01:ee:73:0f:f9:
 -                    40:dc:d5:15:79:d9:c6:73:d0:c0:dd:cb:e4:da:19:
 -                    47:80:c6:14:04:72:fd:9a:7c:8f:11:82:76:49:04:
 -                    79:cc:f2:5c:31:22:95:13:3e:5d:40:a6:4d:e0:a3:
 -                    02:26:7d:52:3b:bb:ed:65:a1:0f:ed:6b:b0:3c:d4:
 -                    de:61:15:5e:d3:dd:68:09:9f:4a:57:a5:c2:a9:6d:
 -                    86:92:c5:f4:a4:d4:b7:13:3b:52:63:24:05:e2:cc:
 -                    e3:8a:3c:d4:35:34:2b:10:bb:58:72:e7:e1:8d:1d:
 -                    74:8c:61:16:20:3d:d0:1c:4e:8f:6e:fd:fe:64:10:
 -                    4f:41
 -                Exponent: 65537 (0x10001)
 -        X509v3 extensions:
 -            X509v3 Basic Constraints: 
 -                CA:FALSE
 -            Netscape Comment: 
 -                OpenSSL Generated Certificate
 -            X509v3 Subject Key Identifier: 
 -                ED:28:C2:7E:AB:4B:C8:E8:FE:55:6D:66:95:31:1C:2D:60:F9:02:36
 -            X509v3 Authority Key Identifier: 
 -                keyid:F6:D1:22:29:D5:3D:23:D7:5E:AD:0C:9C:E6:75:8F:9D:CD:F8:9D:53
 -
 -    Signature Algorithm: sha256WithRSAEncryption
 -         1d:b8:c5:8b:72:41:20:65:ad:27:6f:15:63:06:26:12:8d:9c:
 -         ad:ca:f4:db:97:b4:90:cb:ff:35:94:bb:2a:a7:a1:ab:1e:35:
 -         2d:a5:3f:c9:24:b0:1a:58:89:75:3e:81:0a:2c:4f:98:f9:51:
 -         fb:c0:a3:09:d0:0a:9b:e7:a2:b7:c3:60:40:c8:f4:6d:b2:6a:
 -         56:12:17:4c:00:24:31:df:9c:60:ae:b1:68:54:a9:e6:b5:4a:
 -         04:e6:92:05:86:d9:5a:dc:96:30:a5:58:de:14:99:0f:e5:15:
 -         89:3e:9b:eb:80:e3:bd:83:c3:ea:33:35:4b:3e:2f:d3:0d:64:
 -         93:67:7f:8d:f5:3f:0c:27:bc:37:5a:cc:d6:47:16:af:5a:62:
 -         d2:da:51:f8:74:06:6b:24:ad:28:68:08:98:37:7d:ed:0e:ab:
 -         1e:82:61:05:d0:ba:75:a0:ab:21:b0:9a:fd:2b:54:86:1d:0d:
 -         1f:c2:d4:77:1f:72:26:5e:ad:8a:9f:09:36:6d:44:be:74:c2:
 -         5a:3e:ff:5c:9d:75:d6:38:7b:c5:39:f9:44:6e:a1:d1:8e:ff:
 -         63:db:c4:bb:c6:91:92:ca:5c:60:9b:1d:eb:0a:de:08:ee:bf:
 -         da:76:03:65:62:29:8b:f8:7f:c7:86:73:1e:f6:1f:2d:89:69:
 -         fd:be:bd:6e
 -----BEGIN CERTIFICATE-----
 -MIID4zCCAsugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSlAx
 -EDAOBgNVBAgMB1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQK
 -DA5SdWJ5IENvcmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZI
 -hvcNAQkBFhZzZWN1cml0eUBydWJ5LWxhbmcub3JnMB4XDTE5MDEwMjAzMjcxM1oX
 -DTI0MDEwMTAzMjcxM1owYDELMAkGA1UEBhMCSlAxEDAOBgNVBAgMB1NoaW1hbmUx
 -FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRIwEAYDVQQLDAlSdWJ5IFRlc3QxEjAQ
 -BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 -AOjanAEuKxDsSc1eBxMHnHCexnS8E8Lhb8aC/eNI4CylaMeeQt5gVGXmahRXejDQ
 -zLW22cPS38kll1Rnz/a+XsuL7gPF4eL55/fRDEfwuNozWq1Bree1onu3vzDaYPjj
 -VKK8Ov0bdNncdELpKb7frLRP6zL0BvHhjEuoi/sp57G/HQHucw/5QNzVFXnZxnPQ
 -wN3L5NoZR4DGFARy/Zp8jxGCdkkEeczyXDEilRM+XUCmTeCjAiZ9Uju77WWhD+1r
 -sDzU3mEVXtPdaAmfSlelwqlthpLF9KTUtxM7UmMkBeLM44o81DU0KxC7WHLn4Y0d
 -dIxhFiA90BxOj279/mQQT0ECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC
 -AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFO0o
 -wn6rS8jo/lVtZpUxHC1g+QI2MB8GA1UdIwQYMBaAFPbRIinVPSPXXq0MnOZ1j53N
 -+J1TMA0GCSqGSIb3DQEBCwUAA4IBAQAduMWLckEgZa0nbxVjBiYSjZytyvTbl7SQ
 -y/81lLsqp6GrHjUtpT/JJLAaWIl1PoEKLE+Y+VH7wKMJ0Aqb56K3w2BAyPRtsmpW
 -EhdMACQx35xgrrFoVKnmtUoE5pIFhtla3JYwpVjeFJkP5RWJPpvrgOO9g8PqMzVL
 -Pi/TDWSTZ3+N9T8MJ7w3WszWRxavWmLS2lH4dAZrJK0oaAiYN33tDqsegmEF0Lp1
 -oKshsJr9K1SGHQ0fwtR3H3ImXq2Knwk2bUS+dMJaPv9cnXXWOHvFOflEbqHRjv9j
 -28S7xpGSylxgmx3rCt4I7r/adgNlYimL+H/HhnMe9h8tiWn9vr1u
 +MIIDYTCCAkkCAQAwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYD
 +VQQIDAdTaGltYW5lMRQwEgYDVQQHDAtNYXR6LWUgY2l0eTEXMBUGA1UECgwOUnVi
 +eSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJ
 +ARYWc2VjdXJpdHlAcnVieS1sYW5nLm9yZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEy
 +MjkxMTQ3MjNaMGAxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRcwFQYD
 +VQQKDA5SdWJ5IENvcmUgVGVhbTESMBAGA1UECwwJUnVieSBUZXN0MRIwEAYDVQQD
 +DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZ
 +Q6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJ
 +tWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvA
 +aIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51a
 +a5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj
 +702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G
 +9zKyqGtGAWXAj1MTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACtGNdj5TEtnJBYp
 +M+LhBeU3oNteldfycEm993gJp6ghWZFg23oX8fVmyEeJr/3Ca9bAgDqg0t9a0npN
 +oWKEY6wVKqcHgu3gSvThF5c9KhGbeDDmlTSVVNQmXWX0K2d4lS2cwZHH8mCm2mrY
 +PDqlEkSc7k4qSiqigdS8i80Yk+lDXWsm8CjsiC93qaRM7DnS0WPQR0c16S95oM6G
 +VklFKUSDAuFjw9aVWA/nahOucjn0w5fVW6lyIlkBslC1ChlaDgJmvhz+Ol3iMsE0
 +kAmFNu2KKPVrpMWaBID49QwQTDyhetNLaVVFM88iUdA9JDoVMEuP1mm39JqyzHTu
 +uBrdP4Q=
 -----END CERTIFICATE-----
 diff --git a/test/net/fixtures/server.key b/test/net/fixtures/server.key
 index 7f2380e71e637..6a83d5bcf4a52 100644
 --- a/test/net/fixtures/server.key
 +++ b/test/net/fixtures/server.key
@@ -1,28 +1,27 @@
 ------BEGIN PRIVATE KEY-----
 -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDo2pwBLisQ7EnN
 -XgcTB5xwnsZ0vBPC4W/Ggv3jSOAspWjHnkLeYFRl5moUV3ow0My1ttnD0t/JJZdU
 -Z8/2vl7Li+4DxeHi+ef30QxH8LjaM1qtQa3ntaJ7t78w2mD441SivDr9G3TZ3HRC
 -6Sm+36y0T+sy9Abx4YxLqIv7Keexvx0B7nMP+UDc1RV52cZz0MDdy+TaGUeAxhQE
 -cv2afI8RgnZJBHnM8lwxIpUTPl1Apk3gowImfVI7u+1loQ/ta7A81N5hFV7T3WgJ
 -n0pXpcKpbYaSxfSk1LcTO1JjJAXizOOKPNQ1NCsQu1hy5+GNHXSMYRYgPdAcTo9u
 -/f5kEE9BAgMBAAECggEBAOHkwhc7DLh8IhTDNSW26oMu5OP2WU1jmiYAigDmf+OQ
 -DBgrZj+JQBci8qINQxL8XLukSZn5hvQCLc7Kbyu1/wyEEUFDxSGGwwzclodr9kho
 -LX2LDASPZrOSzD2+fPi2wTKmXKuS6Uc44OjQfZkYMNkz9r4Vkm8xGgOD3VipjIYX
 -QXlhhdqkXZcNABsihCV52GKkDFSVm8jv95YJc5xhoYCy/3a4/qPdF0aT2R7oYUej
 -hKrxVDskyooe8Zg/JTydZNV5GQEDmW01/K3r6XGT26oPi1AqMU1gtv/jkW56CRQQ
 -1got8smnqM+AV7Slf9R6DauIPdQJ2S8wsr/o8ISBsOECgYEA9YrqEP2gAYSGFXRt
 -liw0WI2Ant8BqXS6yvq1jLo/qWhLw/ph4Di73OQ2mpycVTpgfGr2wFPQR1XJ+0Fd
 -U+Ir/C3Q7FK4VIGHK7B0zNvZr5tEjlFfeRezo2JMVw5YWeSagIFcSwK+KqCTH9qc
 -pw/Eb8nB/4XNcpTZu7Fg0Wc+ooUCgYEA8sVaicn1Wxkpb45a4qfrA6wOr5xdJ4cC
 -A5qs7vjX2OdPIQOmoQhdI7bCWFXZzF33wA4YCws6j5wRaySLIJqdms8Gl9QnODy1
 -ZlA5gwKToBC/jqPmWAXSKb8EH7cHilaxU9OKnQ7CfwlGLHqjMtjrhR7KHlt3CVRs
 -oRmvsjZVXI0CgYAmPedslAO6mMhFSSfULrhMXmV82OCqYrrA6EEkVNGbcdnzAOkD
 -gfKIWabDd8bFY10po4Mguy0CHzNhBXIioWQWV5BlbhC1YKMLw+S9DzSdLAKGY9gJ
 -xQ4+UQ3wtRQ/k+IYR413RUsW2oFvgZ3KSyNeAb9MK6uuv84VdG/OzVSs/QKBgQDn
 -kap//l2EbObiWyaERunckdVcW0lcN+KK75J/TGwPoOwQsLvTpPe65kxRGGrtDsEQ
 -uCDk/+v3KkZPLgdrrTAih9FhJ+PVN8tMcb+6IM4SA4fFFr/UPJEwct0LJ3oQ0grJ
 -y+HPWFHb/Uurh7t99/4H98uR02sjQh1wOeEmm78mzQKBgQDm+LzGH0se6CXQ6cdZ
 -g1JRZeXkDEsrW3hfAsW62xJQmXcWxBoblP9OamMY+A06rM5og3JbDk5Zm6JsOaA8
 -wS2gw4ilp46jors4eQey8ux7kB9LzdBoDBBElnsbjLO8oBNZlVcYXg+6BOl/CUi7
 -2whRF0FEjKA8ehrNhAq+VFfFNw==
 ------END PRIVATE KEY-----
 +-----BEGIN RSA PRIVATE KEY-----
 +MIIEowIBAAKCAQEAsPnoGUOnrpiSqt4XynxA+HRP7S+BSObI6qJ7fQAVSPtRkqso
 +tWxQYLEYzNEx5ZSHTGypibVsJylvCfuToDTfMul8b/CZjP2Ob0LdpYrNH6l5hvFE
 +89FU1nZQF15oVLOpUgA7wGiHuEVawrGfey92UE68mOyUVXGweJIVDdxqdMoPvNNU
 +l86BU02vlBiESxOuox+dWmuVV7vfYZ79Toh/LUK43YvJh+rhv4nKuF7iHjVjBd9s
 +B6iDjj70HFldzOQ9r8SRI+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P59
 +3VVJvnzOjaA1z6Cz+4+eRvcysqhrRgFlwI9TEwIDAQABAoIBAEEYiyDP29vCzx/+
 +dS3LqnI5BjUuJhXUnc6AWX/PCgVAO+8A+gZRgvct7PtZb0sM6P9ZcLrweomlGezI
 +FrL0/6xQaa8bBr/ve/a8155OgcjFo6fZEw3Dz7ra5fbSiPmu4/b/kvrg+Br1l77J
 +aun6uUAs1f5B9wW+vbR7tzbT/mxaUeDiBzKpe15GwcvbJtdIVMa2YErtRjc1/5B2
 +BGVXyvlJv0SIlcIEMsHgnAFOp1ZgQ08aDzvilLq8XVMOahAhP1O2A3X8hKdXPyrx
 +IVWE9bS9ptTo+eF6eNl+d7htpKGEZHUxinoQpWEBTv+iOoHsVunkEJ3vjLP3lyI/
 +fY0NQ1ECgYEA3RBXAjgvIys2gfU3keImF8e/TprLge1I2vbWmV2j6rZCg5r/AS0u
 +pii5CvJ5/T5vfJPNgPBy8B/yRDs+6PJO1GmnlhOkG9JAIPkv0RBZvR0PMBtbp6nT
 +Y3yo1lwamBVBfY6rc0sLTzosZh2aGoLzrHNMQFMGaauORzBFpY5lU50CgYEAzPHl
 +u5DI6Xgep1vr8QvCUuEesCOgJg8Yh1UqVoY/SmQh6MYAv1I9bLGwrb3WW/7kqIoD
 +fj0aQV5buVZI2loMomtU9KY5SFIsPV+JuUpy7/+VE01ZQM5FdY8wiYCQiVZYju9X
 +Wz5LxMNoz+gT7pwlLCsC4N+R8aoBk404aF1gum8CgYAJ7VTq7Zj4TFV7Soa/T1eE
 +k9y8a+kdoYk3BASpCHJ29M5R2KEA7YV9wrBklHTz8VzSTFTbKHEQ5W5csAhoL5Fo
 +qoHzFFi3Qx7MHESQb9qHyolHEMNx6QdsHUn7rlEnaTTyrXh3ifQtD6C0yTmFXUIS
 +CW9wKApOrnyKJ9nI0HcuZQKBgQCMtoV6e9VGX4AEfpuHvAAnMYQFgeBiYTkBKltQ
 +XwozhH63uMMomUmtSG87Sz1TmrXadjAhy8gsG6I0pWaN7QgBuFnzQ/HOkwTm+qKw
 +AsrZt4zeXNwsH7QXHEJCFnCmqw9QzEoZTrNtHJHpNboBuVnYcoueZEJrP8OnUG3r
 +UjmopwKBgAqB2KYYMUqAOvYcBnEfLDmyZv9BTVNHbR2lKkMYqv5LlvDaBxVfilE0
 +2riO4p6BaAdvzXjKeRrGNEKoHNBpOSfYCOM16NjL8hIZB1CaV3WbT5oY+jp7Mzd5
 +7d56RZOE+ERK2uz/7JX9VSsM/LbH9pJibd4e8mikDS9ntciqOH/3
 +-----END RSA PRIVATE KEY-----
--- a/SOURCES/ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch
+++ b/SOURCES/ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch
@ -0,0 +1,25 @@
 From 58ebf0f84a1dcb148f21aa589693d49d4e3be7de Mon Sep 17 00:00:00 2001
 From: Jun Aruga <jaruga@redhat.com>
 Date: Thu, 2 May 2024 17:23:09 +0200
 Subject: [PATCH] Allow OpenSSL 3 in Ruby OpenSSL 2.x.
 ---
 ext/openssl/extconf.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
 index 0dc1a5eb43..51de0d6e39 100644
 --- a/ext/openssl/extconf.rb
 +++ b/ext/openssl/extconf.rb
@@ -110,7 +110,7 @@ def find_openssl_library
     !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") }
 end
 unless version_ok
 -  raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
 +  # raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required"
 end
 # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h
 -- 
 2.44.0
--- a/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch
+++ b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch
@ -0,0 +1,48 @@
 From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001
 From: Jun Aruga <jaruga@redhat.com>
 Date: Wed, 24 Aug 2022 12:02:56 +0200
 Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata
 version 2022b.
 The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones
 including Europe/Amsterdam on tzdata version 2022b or later.
 See <https://github.com/eggert/tz/commit/35fa37fbbb152f5dbed4fd5edfdc968e3584fe12>.
 The tzdata RPM package maintainer on Fedora project suggested changing the Ruby
 test, because the change is intentional.
 See <https://bugzilla.redhat.com/show_bug.cgi?id=2118259#c1>.
 We use post-1970 time test data to simplify the test.
 ---
 spec/ruby/core/time/shared/local.rb | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
 diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb
 index 997b7186f1..c4aa7a7ea9 100644
 --- a/spec/ruby/core/time/shared/local.rb
 +++ b/spec/ruby/core/time/shared/local.rb
@@ -6,18 +6,16 @@
     end
   end
 -=begin
   platform_is_not :windows do
     describe "timezone changes" do
 -      it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do
 +      it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do
         with_timezone("Europe/Amsterdam") do
 -          Time.send(@method, 1940, 5, 16).to_a.should ==
 -            [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
 +          Time.send(@method, 1970, 5, 16).to_a.should ==
 +            [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"]
         end
       end
     end
   end
 -=end
 end
 describe :time_local_10_arg, shared: true do
 -- 
 2.36.1
--- a/SOURCES/test_openssl_fips.rb
+++ b/SOURCES/test_openssl_fips.rb
@ -0,0 +1,34 @@
 require 'openssl'
 # Run openssl tests in OpenSSL FIPS. See the link below for how to test.
 # https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml
 # - step name: test on fips module
 # Listing the testing files by an array explicitly rather than the `Dir.glob`
 # to prevent the test files from not loading unintentionally.
 TEST_FILES = %w[
  test/openssl/test_fips.rb
  test/openssl/test_pkey.rb
 ].freeze
 if ARGV.empty?
  puts 'ERROR: Argument base_dir required.'
  puts "Usage: #{__FILE__} base_dir [options]"
  exit false
 end
 BASE_DIR = ARGV[0]
 abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) }
 # Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable
 # FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later
 # versions.
 # https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch
 ENV['OPENSSL_FORCE_FIPS_MODE'] = '1'
 # A flag to tell the tests the current environment is FIPS enabled.
 # https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb
 ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true'
 abs_test_files.each do |file|
  puts "INFO: Loading #{file}."
  require file
 end
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@ -1,6 +1,6 @@
 %global major_version 3
 %global minor_version 0
-%global teeny_version 4
+%global teeny_version 7
 %global major_minor_version %{major_version}.%{minor_version}
 %global ruby_version %{major_minor_version}.%{teeny_version}
@ -22,7 +22,7 @@
 %endif
-%global release 160
+%global release 162
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 # The RubyGems library has to stay out of Ruby directory tree, since the
@ -41,7 +41,7 @@
 %global bundler_net_http_persistent_version 4.0.0
 %global bundler_thor_version 1.1.0
 %global bundler_tmpdir_version 0.1.0
-%global bundler_uri_version 0.10.0
+%global bundler_uri_version 0.10.0.3
 %global bigdecimal_version 3.0.0
 %global did_you_mean_version 1.5.0
@ -49,14 +49,14 @@
 %global io_console_version 0.5.7
 %global irb_version 1.3.5
 %global json_version 2.5.1
-%global openssl_version 2.2.1
+%global openssl_version 2.2.2
 %global psych_version 3.3.2
 %global racc_version 1.5.2
-%global rdoc_version 6.3.3
+%global rdoc_version 6.3.4.1
 # Bundled gems.
 %global minitest_version 5.14.2
-%global power_assert_version 1.2.0
+%global power_assert_version 1.2.1
 %global rake_version 13.0.3
 %global rbs_version 1.4.0
 %global test_unit_version 3.3.7
@ -106,6 +106,8 @@ Source11: rubygems.con
 Source13: test_abrt.rb
 # SystemTap tests.
 Source14: test_systemtap.rb
 # Ruby OpenSSL FIPS tests.
 Source15: test_openssl_fips.rb
 # The load directive is supported since RPM 4.12, i.e. F21+. The build process
 # fails on older Fedoras.
@ -181,9 +183,9 @@ Patch22: rubygems-3.2.33-Fix-loading-operating_system-rb-customizations-too-late
 # OpenSSL 3.0 compatibility patches
-# Revert OpenSSL < 3.x enforcement.
+# Ignore OpenSSL version check to allow OpenSSL 3 in Ruby OpenSSL 2.x.
-# https://github.com/ruby/openssl/commit/202ff1372a40a8adf9aac74bfe8a39141b0c57e5
+# https://github.com/ruby/openssl?tab=readme-ov-file#compatibility-and-maintenance-policy
-Patch30: ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch
+Patch30: ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch
 # Fix test broken by wrongly formatted distinguished name submitted to
 # `OpenSSL::X509::Name.parse`.
@ -261,6 +263,40 @@ Patch59: ruby-3.1.1-ossl_ocsp-use-null.patch
 # Replace SHA1 usage in tests.
 # https://github.com/ruby/openssl/pull/511
 Patch60: ruby-3.1.2-ossl-tests-replace-sha1.patch
 # Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
 # https://github.com/ruby/spec/pull/939
 Patch62: ruby-spec-Fix-tests-on-tzdata-2022b.patch
 # Fix File.utime test.
 # https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273
 Patch64: ruby-3.3.0-test-file-utime.patch
 # Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
 # https://github.com/ruby/openssl/pull/608
 # https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0
 Patch65: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
 # Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
 # The patch is a combination of the following 2 commits to simplify the patch.
 # https://github.com/ruby/openssl/pull/615
 # https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380
 # https://github.com/ruby/openssl/pull/669
 # https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd
 Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
 # Enable tests in OpenSSL FIPS.
 # https://github.com/ruby/openssl/pull/615
 # https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
 Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
 # ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
 # https://github.com/ruby/openssl/pull/674
 # https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
 Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
 # Fix net-http test errors due to expired certificate
 # https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
 # https://bugs.ruby-lang.org/issues/20106
 Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
 # Fix `TestNetHTTPS#test_session_reuse_but_expire` test failure cause by
 # to OpenSSL 3.2
 # https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f
 Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -703,7 +739,7 @@ rm -rf ext/fiddle/libffi*
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
-%patch30 -p1 -R
+%patch30 -p1
 %patch31 -p1
 %patch40 -p1
 %patch41 -p1
@ -726,6 +762,14 @@ rm -rf ext/fiddle/libffi*
 %patch58 -p1
 %patch59
 %patch60 -p1
 %patch62 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -998,6 +1042,13 @@ MSPECOPTS=""
 # Avoid `hostname' dependency.
 %{!?with_hostname:MSPECOPTS="-P 'Socket.gethostname returns the host name'"}
 # Some infra allows DNS resolution but then does not allow
 # connection to proceed, let's ignore it altogether for now.
 # Our expectation is that there is no network connectivity outside
 # available loopback interface. That is not the reality currently.
 # https://issues.redhat.com/browse/CS-1959
 DISABLE_TESTS="$DISABLE_TESTS -n !/TestBundledCA/"
 # Several test broken by libffi-3.4.2. There should be fix in libffi, once
 # other components are fixed.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2040380
@ -1017,6 +1068,11 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
 %{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
  make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
 # Run Ruby OpenSSL tests in OpenSSL FIPS.
 make runruby TESTRUN_SCRIPT=" \
  -I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \
  %{SOURCE15} %{_builddir}/%{buildsubdir} --verbose"
 %files
 %license BSDL
 %license COPYING
@ -1272,7 +1328,7 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
 %{gem_dir}/specifications/default/abbrev-0.1.0.gemspec
 %{gem_dir}/specifications/default/base64-0.1.0.gemspec
 %{gem_dir}/specifications/default/benchmark-0.1.1.gemspec
-%{gem_dir}/specifications/default/cgi-0.2.1.gemspec
+%{gem_dir}/specifications/default/cgi-0.2.2.gemspec
 %{gem_dir}/specifications/default/csv-3.1.9.gemspec
 %{gem_dir}/specifications/default/date-3.1.3.gemspec
 %{gem_dir}/specifications/default/dbm-1.1.0.gemspec
@ -1326,17 +1382,17 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
 %{gem_dir}/specifications/default/set-1.0.1.gemspec
 %{gem_dir}/specifications/default/shellwords-0.1.0.gemspec
 %{gem_dir}/specifications/default/singleton-0.1.1.gemspec
-%{gem_dir}/specifications/default/stringio-3.0.1.gemspec
+%{gem_dir}/specifications/default/stringio-3.0.1.1.gemspec
 %{gem_dir}/specifications/default/strscan-3.0.1.gemspec
 %{gem_dir}/specifications/default/syslog-0.1.0.gemspec
 %{gem_dir}/specifications/default/tempfile-0.1.1.gemspec
-%{gem_dir}/specifications/default/time-0.1.0.gemspec
+%{gem_dir}/specifications/default/time-0.1.1.gemspec
 %{gem_dir}/specifications/default/timeout-0.1.1.gemspec
 %{gem_dir}/specifications/default/tmpdir-0.1.2.gemspec
 %{gem_dir}/specifications/default/tsort-0.1.0.gemspec
 %{gem_dir}/specifications/default/tracer-0.1.1.gemspec
 %{gem_dir}/specifications/default/un-0.1.0.gemspec
-%{gem_dir}/specifications/default/uri-0.10.1.gemspec
+%{gem_dir}/specifications/default/uri-0.10.3.gemspec
 %{gem_dir}/specifications/default/weakref-0.1.1.gemspec
 #%%{gem_dir}/specifications/default/win32ole-1.8.8.gemspec
 %{gem_dir}/specifications/default/yaml-0.1.1.gemspec
@ -1489,11 +1545,39 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
 %changelog
 * Tue Apr 30 2024 Jun Aruga <jaruga@redhat.com> - 3.0.7-162
 - Upgrade to Ruby 3.0.7.
  Resolves: RHEL-35740
 - Fix HTTP response splitting in CGI.
  Resolves: RHEL-35741
 - Fix ReDoS vulnerability in URI.
  Resolves: RHEL-35742
 - Fix ReDoS vulnerability in Time.
  Resolves: RHEL-35743
 - Fix buffer overread vulnerability in StringIO.
  Resolves: RHEL-35744
 - Fix RCE vulnerability with .rdoc_options in RDoc.
  Resolves: RHEL-35746
 - Fix arbitrary memory address read vulnerability with Regex search.
  Resolves: RHEL-35747
 * Mon Oct 09 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-161
 - Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
  Resolves: RHEL-12724
 - ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
  Related: RHEL-12724
 * Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
 - Bypass git submodule test failure on Git >= 2.38.1.
 - Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
 - Fix for tzdata-2022g.
 - Fix File.utime test.
 * Fri Jul 08 2022 Jarek Prokop <jprokop@redhat.com> - 3.0.4-160
 - Upgrade to Ruby 3.0.4.
-  Resolves: rhbz#2109428
+  Resolves: rhbz#2096347
 - OpenSSL test suite fixes due to disabled SHA1.
-  Related: rbhz#2109428
+  Resolves: rbhz#2107696
 - Fix double free in Regexp compilation.
  Resolves: CVE-2022-28738
 - Fix buffer overrun in String-to-Float conversion.
`@ -1 +1 @@`
	`SOURCES/ruby-3.0.4.tar.xz`	`SOURCES/ruby-3.0.7.tar.xz`
`@ -1 +1 @@`
	`14461adca874d42a06a11851029dec877d9d28de SOURCES/ruby-3.0.4.tar.xz`	`efc97e609868a19f89653068c4915c162117b721 SOURCES/ruby-3.0.7.tar.xz`