Issue #21631 has been updated by Bo98 (Bo Anderson). `OpenSSL::X509::V_FLAG_CRL_CHECK` can make sense on cert stores with `OpenSSL::X509::Store#set_default_paths` but only if you have also did `OpenSSL::X509::Store#add_crl` as there is no such thing as a default CRL file. Calling that on `DEFAULT_CERT_STORE` would be mutating a global undocumented constant which is indeed very deep into private API - and also would be relying on a bug. In the future we may be able to freeze the constant: https://github.com/ruby/openssl/pull/807 Anyhow, Ruby 3.4 can be marked as done in commit:fce44db5eb7baf1ddd2238254c3cf617fcfd1112 ---------------------------------------- Bug #21631: Backport openssl gem bugfix releases https://bugs.ruby-lang.org/issues/21631#change-114827 * Author: Bo98 (Bo Anderson) * Status: Closed * Backport: 3.2: DONE, 3.3: REQUIRED, 3.4: REQUIRED ---------------------------------------- The openssl gem has made new patch releases for all supported release lines in order to fix a compatibility issue with OpenSSL 3.6.0 (along with other bug fixes such as one for a segfault). Without the compatibility fix, the openssl gem is largely broken for certificate verification with OpenSSL 3.6.0, which then affects other parts of Ruby like net-http. Ruby 3.4 PR (3.3.0 -> 3.3.1): https://github.com/ruby/ruby/pull/14792 Ruby 3.3 PR (3.2.0 -> 3.2.2): https://github.com/ruby/ruby/pull/14793 I'm not entirely sure what to do for Ruby 3.2. We can update the gem from 3.1.0 to 3.1.2 but that's perhaps out-of-scope for Ruby 3.2 being in security maintenance mode. Would cherry-picking the single compatibility fix commit be acceptable? The issue has been widely noticed already: https://github.com/ruby/openssl/issues/949 -- https://bugs.ruby-lang.org/