NameError: uninitialized constant OpenSSL::SSL::TLS1_3_VERSION (bunny-2.20.0, ruby 2.6)

[doconnor-clintel]

Via dependabot;

NameError: uninitialized constant OpenSSL::SSL::TLS1_3_VERSION
--
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bunny-2.20.0/lib/bunny/transport.rb:34:in `<class:Transport>'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bunny-2.20.0/lib/bunny/transport.rb:16:in `<module:Bunny>'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bunny-2.20.0/lib/bunny/transport.rb:14:in `<main>'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/polyglot-0.3.5/lib/polyglot.rb:65:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bunny-2.20.0/lib/bunny/session.rb:5:in `<main>'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/polyglot-0.3.5/lib/polyglot.rb:65:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bunny-2.20.0/lib/bunny.rb:27:in `<main>'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
  | /var/lib/buildkite-agent/builds/ip-172-31-46-227/clintel/cr-tests/config/application.rb:7:in `<top (required)>'
  | /var/lib/buildkite-agent/builds/ip-172-31-46-227/clintel/cr-tests/Rakefile:4:in `require'
  | /var/lib/buildkite-agent/builds/ip-172-31-46-227/clintel/cr-tests/Rakefile:4:in `<top (required)>'
  | /var/lib/buildkite-agent/.bundlecache/ruby/2.6.0/gems/rake-13.0.6/exe/rake:27:in `<top (required)>'

Strangely, this constant should probably be available even as far back as Ruby 2.5.1:
https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL.html

It might just be a load order issue on our side of things; however Bunny 2.19.0 doesn't appear to experience the issue.

[michaelklishin]

What happens on Ruby 2.7 or 3.x?

[michaelklishin]

I am not particularly interested in spending time on Ruby 2.6 compatibility, if 2.7 and 3.x do not run into this, I'd simply bump the minimum supported version for new releases.

Also, we need a way to reproduce since quite obviously only you have access to your CI env.

[doconnor-clintel]

I think that's a reasonable/sensible approach

[michaelklishin]

Looking at the code in transport.rb:

begin
  require "openssl"
rescue LoadError => _le
  $stderr.puts "Could not load OpenSSL"
end

makes me wonder if the OpenSSL version on your CI host is too old to support TLS 1.3, and thus the OpenSSL Ruby extension infers that and doesn't make the constant available.

Older Ruby versions and cutting edge TLS won't necessarily play well together. It took
JVM and Erlang TLS implementations a few years to iron out TLS 1.3 support.

I could not reproduce on 2.7 or 3.x, and could not build Ruby 2.6 on ARM64 locally. Trying out a Docker image next.

[michaelklishin]

I cannot reproduce using ruby:2.6 and ruby:slim (3.x) images:

irb(main):001:0> require "openssl"
=> true
irb(main):002:0> OpenSSL::SSL::TLS1_3_VERSION
=> 772
irb(main):003:0> RUBY_VERSION
=> "2.6.10"

irb(main):001:0> OpenSSL::SSL::TLS1_3_VERSION
(irb):1:in `<main>': uninitialized constant OpenSSL (NameError)
	from /usr/local/lib/ruby/gems/3.1.0/gems/irb-1.4.1/exe/irb:11:in `<top (required)>'
	from /usr/local/bin/irb:25:in `load'
	from /usr/local/bin/irb:25:in `<main>'
irb(main):002:0> require "openssl"
=> true
irb(main):003:0> OpenSSL::SSL::TLS1_3_VERSION
=> 772
irb(main):004:0> RUBY_VERSION
=> "3.1.3"

[tindron]

I can reproduce with ruby 3.1.2 on Ubuntu 16.04.6 with openssl 1.0.2g

irb(main):002:0> OpenSSL::SSL::TLS1_3_VERSION
(irb):2:in `<main>': uninitialized constant OpenSSL::SSL::TLS1_3_VERSION (NameError)
Did you mean?  OpenSSL::SSL::TLS1_1_VERSION
               OpenSSL::SSL::TLS1_2_VERSION
               OpenSSL::SSL::TLS1_VERSION
               OpenSSL::SSL::SSL3_VERSION
	from /home/deploy/.rbenv/versions/3.1.2/lib/ruby/gems/3.1.0/gems/irb-1.4.1/exe/irb:11:in `<top (required)>'
	from /home/deploy/.rbenv/versions/3.1.2/bin/irb:25:in `load'
	from /home/deploy/.rbenv/versions/3.1.2/bin/irb:25:in `<main>'

[arashm]

Getting the same error here with fully updated Ubuntu 18.04 LTS, openSSL 1.1.1 and Ruby 3.0.3.

[dup2]

Can confirm this error on ubuntu 18.04 LTS, openssl 1.1.1 and ruby 2.7.6.

I think it is a problem with the openssl version, not the ruby version.

This is a breaking change IMHO and should thus not be just a minor release - 2.19.0 works as expected.

[michaelklishin]

I am afraid I am not interested in working around OpenSSL issues specific to Ubuntu 16.04 (close to 7 years old) and 18.04 (close to 5).

[michaelklishin]

Adding TLS 1.3 as an option is not a breaking change in environments that do support TLS1.3 (which has been around for a few years now).

I sure won't bump the major version over this, the API of Bunny has not meaningfully changed in a long time.

If someone is interested in making TLS 1.3 support conditional on whether the underlying OpenSSL supports it, you are welcome to submit a PR. I won't revert anything or bump the major version, TLS 1.3 has too many fixes and advantages.
Those who need to support Ubuntu 16.04 can stick to Bunny 2.19.

[arashm]

That's a bit harsh. Both Ubuntu 16.04 and 18.04 haven't yet reached their EOL https://ubuntu.com/about/release-cycle#ubuntu

[michaelklishin]

It's a bit harsh to demand someone else to do the work that will be of any use to an increasingly smaller % of the user base year after year. Go ahead and maintain a fork if you really need to support Ubuntu 16.04.

I never subscribed to supporting a distribution for 10 years. General Ubuntu distribution support is no longer than 4 years. I am not paid by Canonical to support all the OSS I work on for 10 years because they do it for that long for paying customers.

It is a complete lie to claim that that is possible. Erlang, Python, plenty of other tools had to find out the hard way that
supporting a distribution for so many years with accelerating OpenSSL/LibreSSL rate of change is
madness: older distributions will be left behind with ancient versions of OpenSSL and everything that depends on OpenSSL, which is a very large number of tools and runtimes. It's a great way to end up with an unupgradable system and bit rot across the board.

Old versions of Bunny are still around for those who need them.

[dup2]

Aye, thanks for this clear statement. Maybe you could mention it in the changelog that it is not compatible to openssl 1.1.1 anymore since version 2.20 so poor souls like us who still have to support systems which stick to openssl 1.1.1 for whatever reasons will see it immediately?

[michaelklishin]

A quick investigation suggests that

• Before Ruby 2.6, OpenSSL::SSL::TLS1_2_VERSION and similar constants were not available
• Ruby 2.6 is not available in standard Ubuntu repositories, they go from 2.5 in 18.04 to 2.7 in 20.04 and then 3.0 in 22.04
• Using defined?(OpenSSL::SSL::TLS1_3_VERSION) should be enough to work around this but to test it I'd have to build Ruby 2.6 on Ubuntu 18.04
• Building Ruby 2.6 on arm64 hosts does not seem to be possible (likely because it pre-dates ARM64 Macs in wide use)

[michaelklishin]

#653 is one workaround I could think of, there may be others.

[michaelklishin]

Should be addressed in 2.20.3.