Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby 2.4.0 throws deprecation warning about OpenSSL::Cipher::Cipher #135

Closed
safetymonkey opened this issue Mar 15, 2017 · 10 comments
Closed

Ruby 2.4.0 throws deprecation warning about OpenSSL::Cipher::Cipher #135

safetymonkey opened this issue Mar 15, 2017 · 10 comments

Comments

@safetymonkey
Copy link

I tried updating my app to use Ruby 2.4.0 (bumped up from 2.3.3) and while the server runs and my rspec tests pass I get the 6 instances of the following warning:

/Users/me/.rbenv/versions/2.4.0/lib/ruby/gems/2.4.0/gems/aes-0.5.0/lib/aes/aes.rb:151: warning: constant OpenSSL::Cipher::Cipher is deprecated

As far as I can tell, this is coming from the aes gem, which crypt_keeper relies upon. It hasn't been in active development in years, and the latest version (0.5.0) appears to have this problem as a known issue that's gone unaddressed. (chicks/aes#8) Unfortunately, the owner of the repository hasn't had any public contributions to Github since 2015.

I am not sure what the best option is here, as there don't appear to be a ton of AES encrypt/decrypt gems that have been updated recently.
@jesperronn
Copy link
Contributor

It could be helpful if somebody had the time to try alternatives (could Fast AES be used?) or if you have the time/skillzz to attempt an update:

My guess is that the deprecation warning will hold back people on updating to ruby 2.4

@safetymonkey
Copy link
Author

I'm happy to take a stab at resolving this, is @jmazzi accepting pull requests?

Also, someone in the issues thread I linked originally has created a fork that fixes this issue, but that is of course problematic in the long term.

@jmazzi
Copy link
Owner

jmazzi commented Jun 16, 2017

@safetymonkey I'm more than thrilled to accept pull requests with tests. My preference would be to remove AES as a dependency completely, even if it's not backward compatible. The AES project has not been maintained in a while.

@itspriddle
Copy link
Collaborator

FWIW I started on a replacement implementation for AES in #140, but I've not had time to add a migration path yet.

@jmazzi
Copy link
Owner

jmazzi commented Jun 16, 2017

@itspriddle at this point I'm ok with 1.0 becoming EOL and moving to a 2.0. The migration tools can come later, but I'd like to stay ahead of the problem for new installs if we can.

@itspriddle
Copy link
Collaborator

@jmazzi sounds good to me. Let me hack a little more tonight on #140 and I will get a 2.0.0 RC ready with 2.4.0 support.

@itspriddle
Copy link
Collaborator

#140 has been refactored to include Ruby 2.4 support. Note that it is a breaking change for users of the AesNew encryptor. Migration steps are included in the comments of the PR.

Can you guys give it a try and report back if there are any issues? If it's good we can prepare a 2.0.0 RC. Thanks!

@scicco
Copy link

scicco commented Oct 18, 2017

Hi @itspriddle, I've followed your general migration path and tested it locally. I got no problem with my data.

@jesperronn
Copy link
Contributor

jesperronn commented Nov 19, 2017
edited
Loading

@jmazzi please consider closing this issue in favor of #140 ?

@jmazzi
Copy link
Owner

jmazzi commented Nov 27, 2017

Experimental PR in #140

@jmazzi jmazzi closed this as completed Nov 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jmazzi @jesperronn @itspriddle @safetymonkey @scicco