Issue #9439 has been updated by Shyouhei Urabe.


Fabian Ruff wrote:
> I must be missing something here but I feel like I'm going crazy over this.
> Are we really talking about removing the capability for https communication from ruby core while the world is shifting towards https-only?

Yes.  I have to admit that ruby devs, especially myself, are not
ready.  Immature to support OpenSSL.

OpenSSL seemd easy to support at first.  We were only needed to
wrap the C library with Ruby and that's it.  Now, things gets more
complicated.  People requests us to keep being MORE SECURE THAN
the OpenSSL itself.  That costs us very much.  I studied this topic
these days very much and still have no idea how to actually absuse
CRIME to get any uncrypted data.  It's as clear as sky that I cannot be more secure than the default without actually understand
its backgrounds; I lack knowledge, or experience, or maybe both.

People say just providing OpenSSL functionality is not
sufficient so we have to work hard to provide something perfect.
That might be true.  But I'm afraid we can't.  If "being secure
out of the box" is mandatory, we'd better run away form OpenSSL.

It's just beyond our power.

> To me this is bigger than how to secure the installation of gems without openssl.
> With HTTP being the universal internet protocol I think a programming language has to support the secured version from the get go.
> 
> Apologies if I misinterpreted the ramifications of removing OpenSSL from ruby core.



----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44562

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/