ssl: use uint64_t for SSL options

ext/openssl/extconf.rb

@@ -145,6 +145,13 @@ def find_openssl_library
 # added in OpenSSL 1.0.2, not in LibreSSL or AWS-LC yet
 have_func("SSL_CTX_set1_client_sigalgs_list(NULL, NULL)", ssl_h)
 
+# SSL options can be uint64_t (OpenSSL >= 3), unsigned long (OpenSSL >= 1.1),
+# long (LibreSSL), or uint32_t (AWS-LC)
+if checking_for("whether SSL_CTX_get_options() returns a 64-bit value") {
+    try_static_assert("sizeof(SSL_CTX_get_options(NULL)) == 8", ssl_h) }
+  $defs.push("-DOSSL_SIZEOF_SSL_OPTIONS_IS_8")
+end
+
 # added in 1.1.0, currently not in LibreSSL
 have_func("EVP_PBE_scrypt(\"\", 0, (unsigned char *)\"\", 0, 0, 0, 0, 0, NULL, 0)", evp_h)
 

ext/openssl/ossl.h

@@ -98,8 +98,10 @@ extern VALUE eOSSLError;
 #if !defined(NUM2UINT64T) /* in case Ruby starts to provide */
 #  if SIZEOF_LONG == 8
 #    define NUM2UINT64T(x) ((uint64_t)NUM2ULONG(x))
+#    define UINT64T2NUM(x) ULONG2NUM(x)
 #  elif defined(HAVE_LONG_LONG) && SIZEOF_LONG_LONG == 8
 #    define NUM2UINT64T(x) ((uint64_t)NUM2ULL(x))
+#    define UINT64T2NUM(x) ULL2NUM(x)
 #  else
 #    error "unknown platform; no 64-bit width integer"
 #  endif

ext/openssl/ossl_ssl.c

@@ -627,11 +627,21 @@ ossl_sslctx_get_options(VALUE self)
 {
     SSL_CTX *ctx;
     GetSSLCTX(self, ctx);
+
     /*
-     * Do explicit cast because SSL_CTX_get_options() returned (signed) long in
-     * OpenSSL before 1.1.0.
+     * SSL_CTX_get_options() returns different types in libssl variants, and
+     * we want to treat them as a non-negative Integer in Ruby:
+     *   - uint64_t in OpenSSL >= 3
+     *   - unsigned long in OpenSSL >= 1.1
+     *   - long in OpenSSL <= 1.0.2 and LibreSSL 4.3 (latest), with all 32 bits
+     *     used for options.
+     *   - uint32_t in AWS-LC 5.0.0 (latest)
      */
-    return ULONG2NUM((unsigned long)SSL_CTX_get_options(ctx));
+#ifdef OSSL_SIZEOF_SSL_OPTIONS_IS_8
+    return UINT64T2NUM((uint64_t)SSL_CTX_get_options(ctx));
+#else
+    return UINT2NUM((uint32_t)SSL_CTX_get_options(ctx));
+#endif
 }
 
 /*
@@ -655,13 +665,13 @@ ossl_sslctx_set_options(VALUE self, VALUE options)
     rb_check_frozen(self);
     GetSSLCTX(self, ctx);
 
+#ifdef OSSL_SIZEOF_SSL_OPTIONS_IS_8
+    uint64_t opts = NIL_P(options) ? SSL_OP_ALL : NUM2UINT64T(options);
+#else
+    uint32_t opts = NIL_P(options) ? SSL_OP_ALL : NUM2UINT(options);
+#endif
     SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx));
-
-    if (NIL_P(options)) {
-        SSL_CTX_set_options(ctx, SSL_OP_ALL);
-    } else {
-        SSL_CTX_set_options(ctx, NUM2ULONG(options));
-    }
+    SSL_CTX_set_options(ctx, opts);
 
     return self;
 }
@@ -3178,98 +3188,128 @@ Init_ossl_ssl(void)
     rb_define_const(mSSL, "VERIFY_FAIL_IF_NO_PEER_CERT", INT2NUM(SSL_VERIFY_FAIL_IF_NO_PEER_CERT));
     rb_define_const(mSSL, "VERIFY_CLIENT_ONCE", INT2NUM(SSL_VERIFY_CLIENT_ONCE));
 
-    rb_define_const(mSSL, "OP_ALL", ULONG2NUM(SSL_OP_ALL));
+    rb_define_const(mSSL, "OP_ALL", UINT64T2NUM(SSL_OP_ALL));
+#ifdef SSL_OP_NO_EXTENDED_MASTER_SECRET /* OpenSSL 3.0 */
+    rb_define_const(mSSL, "OP_NO_EXTENDED_MASTER_SECRET", UINT64T2NUM(SSL_OP_NO_EXTENDED_MASTER_SECRET));
+#endif
 #ifdef SSL_OP_CLEANSE_PLAINTEXT /* OpenSSL 3.0 */
-    rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT));
+    rb_define_const(mSSL, "OP_CLEANSE_PLAINTEXT", UINT64T2NUM(SSL_OP_CLEANSE_PLAINTEXT));
 #endif
-    rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
+    rb_define_const(mSSL, "OP_LEGACY_SERVER_CONNECT", UINT64T2NUM(SSL_OP_LEGACY_SERVER_CONNECT));
 #ifdef SSL_OP_ENABLE_KTLS /* OpenSSL 3.0 */
-    rb_define_const(mSSL, "OP_ENABLE_KTLS", ULONG2NUM(SSL_OP_ENABLE_KTLS));
+    rb_define_const(mSSL, "OP_ENABLE_KTLS", UINT64T2NUM(SSL_OP_ENABLE_KTLS));
 #endif
-    rb_define_const(mSSL, "OP_TLSEXT_PADDING", ULONG2NUM(SSL_OP_TLSEXT_PADDING));
-    rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
+    rb_define_const(mSSL, "OP_TLSEXT_PADDING", UINT64T2NUM(SSL_OP_TLSEXT_PADDING));
+    rb_define_const(mSSL, "OP_SAFARI_ECDHE_ECDSA_BUG", UINT64T2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG));
 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF /* OpenSSL 3.0 */
-    rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
+    rb_define_const(mSSL, "OP_IGNORE_UNEXPECTED_EOF", UINT64T2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF));
 #endif
 #ifdef SSL_OP_ALLOW_CLIENT_RENEGOTIATION /* OpenSSL 3.0 */
-    rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
+    rb_define_const(mSSL, "OP_ALLOW_CLIENT_RENEGOTIATION", UINT64T2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION));
 #endif
 #ifdef SSL_OP_DISABLE_TLSEXT_CA_NAMES /* OpenSSL 3.0 */
-    rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
+    rb_define_const(mSSL, "OP_DISABLE_TLSEXT_CA_NAMES", UINT64T2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES));
 #endif
 #ifdef SSL_OP_ALLOW_NO_DHE_KEX /* OpenSSL 1.1.1, missing in LibreSSL */
-    rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
+    rb_define_const(mSSL, "OP_ALLOW_NO_DHE_KEX", UINT64T2NUM(SSL_OP_ALLOW_NO_DHE_KEX));
 #endif
-    rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
-    rb_define_const(mSSL, "OP_NO_TICKET", ULONG2NUM(SSL_OP_NO_TICKET));
-    rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION));
-    rb_define_const(mSSL, "OP_NO_COMPRESSION", ULONG2NUM(SSL_OP_NO_COMPRESSION));
-    rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
+    rb_define_const(mSSL, "OP_DONT_INSERT_EMPTY_FRAGMENTS", UINT64T2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
+    rb_define_const(mSSL, "OP_NO_TICKET", UINT64T2NUM(SSL_OP_NO_TICKET));
+    rb_define_const(mSSL, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", UINT64T2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION));
+    rb_define_const(mSSL, "OP_NO_COMPRESSION", UINT64T2NUM(SSL_OP_NO_COMPRESSION));
+    rb_define_const(mSSL, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", UINT64T2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC /* OpenSSL 1.1.1, missing in LibreSSL */
-    rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
+    rb_define_const(mSSL, "OP_NO_ENCRYPT_THEN_MAC", UINT64T2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC));
 #endif
 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT /* OpenSSL 1.1.1, missing in LibreSSL */
-    rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
+    rb_define_const(mSSL, "OP_ENABLE_MIDDLEBOX_COMPAT", UINT64T2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT));
 #endif
 #ifdef SSL_OP_PRIORITIZE_CHACHA /* OpenSSL 1.1.1, missing in LibreSSL */
-    rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA));
+    rb_define_const(mSSL, "OP_PRIORITIZE_CHACHA", UINT64T2NUM(SSL_OP_PRIORITIZE_CHACHA));
 #endif
 #ifdef SSL_OP_NO_ANTI_REPLAY /* OpenSSL 1.1.1, missing in LibreSSL */
-    rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", ULONG2NUM(SSL_OP_NO_ANTI_REPLAY));
+    rb_define_const(mSSL, "OP_NO_ANTI_REPLAY", UINT64T2NUM(SSL_OP_NO_ANTI_REPLAY));
+#endif
+    rb_define_const(mSSL, "OP_NO_SSLv3", UINT64T2NUM(SSL_OP_NO_SSLv3));
+    rb_define_const(mSSL, "OP_NO_TLSv1", UINT64T2NUM(SSL_OP_NO_TLSv1));
+    rb_define_const(mSSL, "OP_NO_TLSv1_1", UINT64T2NUM(SSL_OP_NO_TLSv1_1));
+    rb_define_const(mSSL, "OP_NO_TLSv1_2", UINT64T2NUM(SSL_OP_NO_TLSv1_2));
+    rb_define_const(mSSL, "OP_NO_TLSv1_3", UINT64T2NUM(SSL_OP_NO_TLSv1_3));
+    rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", UINT64T2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
+    rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", UINT64T2NUM(SSL_OP_TLS_ROLLBACK_BUG));
+#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1 and LibreSSL 4.1.1 */
+    rb_define_const(mSSL, "OP_NO_RENEGOTIATION", UINT64T2NUM(SSL_OP_NO_RENEGOTIATION));
+#endif
+    rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", UINT64T2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
+#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION /* OpenSSL 3.2 */
+    rb_define_const(mSSL, "OP_NO_TX_CERTIFICATE_COMPRESSION", UINT64T2NUM(SSL_OP_NO_TX_CERTIFICATE_COMPRESSION));
+#endif
+#ifdef SSL_OP_NO_RX_CERTIFICATE_COMPRESSION /* OpenSSL 3.2 */
+    rb_define_const(mSSL, "OP_NO_RX_CERTIFICATE_COMPRESSION", UINT64T2NUM(SSL_OP_NO_RX_CERTIFICATE_COMPRESSION));
+#endif
+#ifdef SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE /* OpenSSL 3.2 */
+    rb_define_const(mSSL, "OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE", UINT64T2NUM(SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE));
+#endif
+#ifdef SSL_OP_PREFER_NO_DHE_KEX /* OpenSSL 3.3 */
+    rb_define_const(mSSL, "OP_PREFER_NO_DHE_KEX", UINT64T2NUM(SSL_OP_PREFER_NO_DHE_KEX));
+#endif
+#ifdef SSL_OP_LEGACY_EC_POINT_FORMATS /* OpenSSL 3.6 */
+    rb_define_const(mSSL, "OP_LEGACY_EC_POINT_FORMATS", UINT64T2NUM(SSL_OP_LEGACY_EC_POINT_FORMATS));
+#endif
+#ifdef SSL_OP_ECH_GREASE /* OpenSSL 4.0 */
+    rb_define_const(mSSL, "OP_ECH_GREASE", UINT64T2NUM(SSL_OP_ECH_GREASE));
+#endif
+#ifdef SSL_OP_ECH_TRIALDECRYPT /* OpenSSL 4.0 */
+    rb_define_const(mSSL, "OP_ECH_TRIALDECRYPT", UINT64T2NUM(SSL_OP_ECH_TRIALDECRYPT));
+#endif
+#ifdef SSL_OP_ECH_IGNORE_CID /* OpenSSL 4.0 */
+    rb_define_const(mSSL, "OP_ECH_IGNORE_CID", UINT64T2NUM(SSL_OP_ECH_IGNORE_CID));
 #endif
-    rb_define_const(mSSL, "OP_NO_SSLv3", ULONG2NUM(SSL_OP_NO_SSLv3));
-    rb_define_const(mSSL, "OP_NO_TLSv1", ULONG2NUM(SSL_OP_NO_TLSv1));
-    rb_define_const(mSSL, "OP_NO_TLSv1_1", ULONG2NUM(SSL_OP_NO_TLSv1_1));
-    rb_define_const(mSSL, "OP_NO_TLSv1_2", ULONG2NUM(SSL_OP_NO_TLSv1_2));
-    rb_define_const(mSSL, "OP_NO_TLSv1_3", ULONG2NUM(SSL_OP_NO_TLSv1_3));
-    rb_define_const(mSSL, "OP_CIPHER_SERVER_PREFERENCE", ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE));
-    rb_define_const(mSSL, "OP_TLS_ROLLBACK_BUG", ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG));
-#ifdef SSL_OP_NO_RENEGOTIATION /* OpenSSL 1.1.1, missing in LibreSSL */
-    rb_define_const(mSSL, "OP_NO_RENEGOTIATION", ULONG2NUM(SSL_OP_NO_RENEGOTIATION));
+#ifdef SSL_OP_ECH_GREASE_RETRY_CONFIG /* OpenSSL 4.0 */
+    rb_define_const(mSSL, "OP_ECH_GREASE_RETRY_CONFIG", UINT64T2NUM(SSL_OP_ECH_GREASE_RETRY_CONFIG));
 #endif
-    rb_define_const(mSSL, "OP_CRYPTOPRO_TLSEXT_BUG", ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG));
 
     /* SSL_OP_* flags for DTLS */
 #if 0
-    rb_define_const(mSSL, "OP_NO_QUERY_MTU", ULONG2NUM(SSL_OP_NO_QUERY_MTU));
-    rb_define_const(mSSL, "OP_COOKIE_EXCHANGE", ULONG2NUM(SSL_OP_COOKIE_EXCHANGE));
-    rb_define_const(mSSL, "OP_CISCO_ANYCONNECT", ULONG2NUM(SSL_OP_CISCO_ANYCONNECT));
+    rb_define_const(mSSL, "OP_NO_QUERY_MTU", UINT64T2NUM(SSL_OP_NO_QUERY_MTU));
+    rb_define_const(mSSL, "OP_COOKIE_EXCHANGE", UINT64T2NUM(SSL_OP_COOKIE_EXCHANGE));
+    rb_define_const(mSSL, "OP_CISCO_ANYCONNECT", UINT64T2NUM(SSL_OP_CISCO_ANYCONNECT));
 #endif
 
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_MICROSOFT_SESS_ID_BUG", ULONG2NUM(SSL_OP_MICROSOFT_SESS_ID_BUG));
+    rb_define_const(mSSL, "OP_MICROSOFT_SESS_ID_BUG", UINT64T2NUM(SSL_OP_MICROSOFT_SESS_ID_BUG));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_NETSCAPE_CHALLENGE_BUG", ULONG2NUM(SSL_OP_NETSCAPE_CHALLENGE_BUG));
+    rb_define_const(mSSL, "OP_NETSCAPE_CHALLENGE_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_CHALLENGE_BUG));
     /* Deprecated in OpenSSL 0.9.8q and 1.0.0c. */
-    rb_define_const(mSSL, "OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", ULONG2NUM(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG));
+    rb_define_const(mSSL, "OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG));
     /* Deprecated in OpenSSL 1.0.1h and 1.0.2. */
-    rb_define_const(mSSL, "OP_SSLREF2_REUSE_CERT_TYPE_BUG", ULONG2NUM(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG));
+    rb_define_const(mSSL, "OP_SSLREF2_REUSE_CERT_TYPE_BUG", UINT64T2NUM(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_MICROSOFT_BIG_SSLV3_BUFFER", ULONG2NUM(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER));
+    rb_define_const(mSSL, "OP_MICROSOFT_BIG_SSLV3_BUFFER", UINT64T2NUM(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER));
     /* Deprecated in OpenSSL 0.9.7h and 0.9.8b. */
-    rb_define_const(mSSL, "OP_MSIE_SSLV2_RSA_PADDING", ULONG2NUM(SSL_OP_MSIE_SSLV2_RSA_PADDING));
+    rb_define_const(mSSL, "OP_MSIE_SSLV2_RSA_PADDING", UINT64T2NUM(SSL_OP_MSIE_SSLV2_RSA_PADDING));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_SSLEAY_080_CLIENT_DH_BUG", ULONG2NUM(SSL_OP_SSLEAY_080_CLIENT_DH_BUG));
+    rb_define_const(mSSL, "OP_SSLEAY_080_CLIENT_DH_BUG", UINT64T2NUM(SSL_OP_SSLEAY_080_CLIENT_DH_BUG));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_TLS_D5_BUG", ULONG2NUM(SSL_OP_TLS_D5_BUG));
+    rb_define_const(mSSL, "OP_TLS_D5_BUG", UINT64T2NUM(SSL_OP_TLS_D5_BUG));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_TLS_BLOCK_PADDING_BUG", ULONG2NUM(SSL_OP_TLS_BLOCK_PADDING_BUG));
+    rb_define_const(mSSL, "OP_TLS_BLOCK_PADDING_BUG", UINT64T2NUM(SSL_OP_TLS_BLOCK_PADDING_BUG));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_SINGLE_ECDH_USE", ULONG2NUM(SSL_OP_SINGLE_ECDH_USE));
+    rb_define_const(mSSL, "OP_SINGLE_ECDH_USE", UINT64T2NUM(SSL_OP_SINGLE_ECDH_USE));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_SINGLE_DH_USE", ULONG2NUM(SSL_OP_SINGLE_DH_USE));
+    rb_define_const(mSSL, "OP_SINGLE_DH_USE", UINT64T2NUM(SSL_OP_SINGLE_DH_USE));
     /* Deprecated in OpenSSL 1.0.1k and 1.0.2. */
-    rb_define_const(mSSL, "OP_EPHEMERAL_RSA", ULONG2NUM(SSL_OP_EPHEMERAL_RSA));
+    rb_define_const(mSSL, "OP_EPHEMERAL_RSA", UINT64T2NUM(SSL_OP_EPHEMERAL_RSA));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_NO_SSLv2", ULONG2NUM(SSL_OP_NO_SSLv2));
+    rb_define_const(mSSL, "OP_NO_SSLv2", UINT64T2NUM(SSL_OP_NO_SSLv2));
     /* Deprecated in OpenSSL 1.0.1. */
-    rb_define_const(mSSL, "OP_PKCS1_CHECK_1", ULONG2NUM(SSL_OP_PKCS1_CHECK_1));
+    rb_define_const(mSSL, "OP_PKCS1_CHECK_1", UINT64T2NUM(SSL_OP_PKCS1_CHECK_1));
     /* Deprecated in OpenSSL 1.0.1. */
-    rb_define_const(mSSL, "OP_PKCS1_CHECK_2", ULONG2NUM(SSL_OP_PKCS1_CHECK_2));
+    rb_define_const(mSSL, "OP_PKCS1_CHECK_2", UINT64T2NUM(SSL_OP_PKCS1_CHECK_2));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_NETSCAPE_CA_DN_BUG", ULONG2NUM(SSL_OP_NETSCAPE_CA_DN_BUG));
+    rb_define_const(mSSL, "OP_NETSCAPE_CA_DN_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_CA_DN_BUG));
     /* Deprecated in OpenSSL 1.1.0. */
-    rb_define_const(mSSL, "OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", ULONG2NUM(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG));
+    rb_define_const(mSSL, "OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", UINT64T2NUM(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG));
 
 
     /*

test/openssl/test_ssl.rb

@@ -30,12 +30,24 @@ def test_ctx_options
     if ctx.options != 4
       pend "SSL_CTX_set_options() seems to be modified by distributor"
     end
+
+    # Unsetting options
+    ctx.options = 0
+    assert_equal(0, ctx.options)
+
+    # Option constants
+    all_ops = OpenSSL::SSL.constants
+      .grep(/^OP_/)
+      .map { |c| OpenSSL::SSL.const_get(c) }
+    all_ops.each { |op| assert_operator(op, :>=, 0) }
+    everything = all_ops.inject(&:|)
+    assert_operator(everything, :>, 0)
+    ctx.options = everything
+    assert_equal(everything, ctx.options)
+
+    # Backwards compatibility: nil means OP_ALL
     ctx.options = nil
     assert_equal OpenSSL::SSL::OP_ALL, ctx.options
-
-    assert_equal true, ctx.setup
-    assert_predicate ctx, :frozen?
-    assert_equal nil, ctx.setup
   end
 
   def test_ctx_options_config
@@ -1255,21 +1267,6 @@ def test_connect_certificate_verify_failed_exception_message
     }
   end
 
-  def test_unset_OP_ALL
-    ctx_proc = Proc.new { |ctx|
-      # If OP_DONT_INSERT_EMPTY_FRAGMENTS is not defined, this test is
-      # redundant because the default options already are equal to OP_ALL.
-      # But it also degrades gracefully, so keep it
-      ctx.options = OpenSSL::SSL::OP_ALL
-    }
-    start_server(ctx_proc: ctx_proc) { |port|
-      server_connect(port) { |ssl|
-        ssl.puts('hello')
-        assert_equal("hello\n", ssl.gets)
-      }
-    }
-  end
-
   def check_supported_protocol_versions
     possible_versions = [
       OpenSSL::SSL::SSL3_VERSION,