[ruby/openssl] ssl: remove OpenSSL::X509::V_FLAG_CRL_CHECK_ALL from the default store

rhenium · rhenium · commit 7863389ad0e3 · 2025-10-06T16:55:14.000+09:00
With OpenSSL 3.6.0, it causes nearly every certificate verification to fail with the message "certificate verify failed (unable to get certificate CRL)" because the CRLs are typically unavailable in the default store used by OpenSSL::SSL::SSLContext#set_params. OpenSSL::X509::V_FLAG_CRL_CHECK_ALL is a flag that extends the CRL checking to all certificates in the chain. In OpenSSL < 3.6.0, the flag alone has no effect, and OpenSSL::X509::V_FLAG_CRL_CHECK must also be set to enable CRL checking. In OpenSSL 3.6.0, OpenSSL::X509::V_FLAG_CRL_CHECK_ALL now implies OpenSSL::X509::V_FLAG_CRL_CHECK. This is inconsistent with the man page and may be fixed in a future OpenSSL 3.6.x release, but this flag is not needed and should not be set by default. Fixes ruby/openssl#949 ruby/openssl@e8481cd687
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
@@ -91,7 +91,6 @@ class SSLContext
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
       DEFAULT_CERT_STORE.set_default_paths
-      DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
 
       # A callback invoked when DH parameters are required for ephemeral DH key
       # exchange.
