OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE is not shareable across ractors

[HoneyryderChuck]

I'm working on ractor-safety in the http library I maintain, and I just got this error when performing an https request:

code looks like:

ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(ctx_options)
#=> `set_params': can not access non-shareable objects in constant OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE by non-main ractor. (Ractor::Isolation
Error)

I've seen that OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE is not frozen. I'm not sure if there's a reason for it. However, even after I freeze it, it's not shareable:

irb(main):005:0> c = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
=> #<OpenSSL::X509::Store:0x0000000108213b90 @chain=nil, @error=nil, @error_string=nil, @time=nil, @verify_callback=nil>
irb(main):006:0> c.frozen?
=> false
irb(main):008:0> c.freeze
=> #<OpenSSL::X509::Store:0x0000000108213b90 @chain=nil, @error=nil, @error_string=nil, @time=nil, @verify_callback=nil>
irb(main):009:0> c.frozen?
=> true
irb(main):010:0> Ractor.shareable?(c)
=> false

[rhenium]

even after I freeze it, it's not shareable:

The direct cause is that OpenSSL::X509::Store doesn't have the RUBY_TYPED_FROZEN_SHAREABLE flag set. X509_STORE appears to be safe to share across threads.

Actually, OpenSSL::SSL::SSLContext/SSL_CTX should also be shareable

[nightpool]

Is this still an issue?

[rhenium]

Making ruby/openssl objects shareable when frozen has turned out to be significantly more complicated than anticipated (see #803 #807 #816) and I don't expect it can be finished soon.

I wonder if we can allocate a separate default store for each Ractor for now. This won't allow usage of OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE in non-main Ractors (which I would discourage, and it's been :nodoc: for several years now), but we can at least make SSLContext#set_params compatible.