Needless to say, you shouldn’t even consider using such old versions in 2019. But if you have to use it after all, e.g. because the management of your company is grossly handicapped mind-bogglingly incapable, or you just have fun in getting hacked in production, these are the things to consider:

  • ruby < 2.4 not being compatible with OpenSSL 1.1 (which is the default one on Arch)
    • OpenSSL 1.0 still available in repos, pacman -S openssl-1.0
    • compile with PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig set
  • ruby 1.9.3 requiring SSLv3, which isn’t compiled in Arch’s OpenSSL (for good reason)
    • make it optional with this patch
  • ruby 1.9.x not supporting TLS (any)
  • CVE-2015-1855 2 not fixed
  • GCC crashes
    • ↑ don’t have these anymore since gcc 8, but had these with gcc 7

good news is, I made a patch mitigating all of these problems.

tl;dr

PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig ruby-install \
--patch https://git.io/fjIT7 \
ruby-1.9.3-p551

or rbenv

PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig \
rbenv install --patch 1.9.3-p551 < <(curl -sSL https://git.io/fjIT7)

or asdf

PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig \
RUBY_APPLY_PATCHES=$(curl -sSL https://git.io/fjIT7) \
asdf install ruby 1.9.3-p551

  1. https://garajau.com.br/2015/07/tls-1-1-and-1-2-support-for-ruby-1-9-3 ↩︎

  2. https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ ↩︎