Thread

Commits

  1. Remove support for OpenSSL 0.9.8 and 1.0.0

  2. Fix handling of OpenSSL's SSL_clear_options

  3. Remove configure check for OpenSSL's SSL_get_current_compression()

  1. Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2019-12-05T08:32:52Z

    Hi all,
    
    So, I have been looking at what we could clean up by removing support
    for OpenSSL 0.9.8 and 1.0.0.  Here are my notes:
    1) SSL_get_current_compression exists before 0.9.8, and we don't
    actually make use of its configure check.  So I think that it could
    just be removed, as per patch 0001.
    2) SSL_clear_options exists since 0.9.8, so we should not even need the
    configure checks.  Still, it is defined as a macro from 0.9.8 to
    1.0.2, and then it has switched to a function in 1.1.0, so we fail to
    detect it on past versions of OpenSSL (LibreSSL has forked at the
    point of 1.0.1g, so it uses only a macro).  There is an extra take
    though.  Daniel has mentioned that here:
    https://www.postgresql.org/message-id/98F7F99E-1129-41D8-B86B-FE3B1E286881@yesql.se
    Note also that a364dfa has also added a tweak in fe-secure-openssl.c
    for cases where we don't have SSL_clear_options().  This refers to
    NetBSD 5.1.  Peter, do you recall which version of LibreSSL was
    involved here?  From a lookup at the code of LibreSSL, the function
    has always been around as a macro.  Anyway, 0002 is more subject to
    discussions regarding this last point.
    
    Then comes the actual changes across the major versions:
    1) SSL_CTX_set_options, which has been added in 0.9.8f, so this could
    get removed in be-secure-openssl.c.
    2) These functions are new as of 1.0.2:
    X509_get_signature_nid
    3) These functions are new as of 1.1.0:
    - SSL_CTX_set_min_proto_version, SSL_CTX_set_max_proto_version (still
    for the fallback functions we have it sounds better to keep the extra
    checks on the TLSvXX definitions.)
    - BIO_meth_new
    - BIO_get_data
    - OPENSSL_init_ssl
    - ASN1_STRING_get0_data
    From the point of view of the code, the cleanup is not actually that
    amazing I am afraid, a jump directly to 1.1.0 would remove much more
    because the breakages were wider when we integrated it.  Anyway, those
    cleanups are part of 0003.  I thought that this would have resulted in
    more cleanup :(
    
    I think that 0001 is a fix we need to do, 0002 is debatable still
    LibreSSL should support it and we fail to detect SSL_clear_options
    properly, and 0003 does not really much additional value.  Or we put
    into the balance for 0003 the argument that we can use TLSv1.2 for all
    configurations, which is safer but we have the configuration to
    enforce it.
    
    Thoughts?
    --
    Michael
    
  2. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Daniel Gustafsson <daniel@yesql.se> — 2019-12-05T11:09:04Z

    > On 5 Dec 2019, at 09:32, Michael Paquier <michael@paquier.xyz> wrote:
    
    > From the point of view of the code, the cleanup is not actually that
    > amazing I am afraid, a jump directly to 1.1.0 would remove much more
    > because the breakages were wider when we integrated it.  Anyway, those
    > cleanups are part of 0003.  I thought that this would have resulted in
    > more cleanup :(
    
    While expected, it's still disappointing.  Until we can drop 1.0.2 there isn't
    too much to gain, and that will likely be reasonably far into the future given
    that it's the final version that can run the FIPS module.
    
    > I think that 0001 is a fix we need to do
    
    +1
    
    > 0002 is debatable still LibreSSL should support it and we fail to detect
    > SSL_clear_options properly,
    
    
    LibreSSL has SSL_clear_options in all versions, as does OpenSSL even at the
    level of support we have as of now.  The only issue with 0002 is support for
    older NetBSD releases, as is documented in the comment and commit message.
    
    NetBSD 5.x shipped a custom OpenSSL identified as 0.9.9, which is a version of
    their own invention.  NetBSD 6.0 (which shipped in October 2012) ships 1.0.1u,
    which has SSL_clear_options as well as SSL_OP_NO_COMPRESSION.  So, this patch
    is not really debateable if we are dropping support for 0.9.8 and 1.0.0.
     
    opossum is the only animal in the buildfarm on NetBSD 5, and it has been silent
    for close to a year now (coypu is on NetBSD 8).  Requiring opossum to build
    without OpenSSL (if/when) it comes back seems a reasonable ask.  NetBSD 5.x has
    been EOL for quite some time too.
    
    +1 on applying this instead of trying to fix the autoconf check.
    
    > 0003 does not really much additional value.  Or we put
    > into the balance for 0003 the argument that we can use TLSv1.2 for all
    > configurations, which is safer but we have the configuration to
    > enforce it.
    
    I think the TLSv1.2 argument is the most compelling one, the changes are a wash
    in terms of code maintainability.  Raising the minimum supported version
    doesn't really have any downsides though, and should be quite uncontroversial
    (and as noted in the other thread, prariedog and gaur are ready for the change
    so buildfarm breakage should be limited to an animal that doesnt build
    anymore). Overall, +1.
    
    cheers ./daniel
    
    
    
  3. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-12-05T15:38:55Z

    Daniel Gustafsson <daniel@yesql.se> writes:
    >> On 5 Dec 2019, at 09:32, Michael Paquier <michael@paquier.xyz> wrote:
    >> From the point of view of the code, the cleanup is not actually that
    >> amazing I am afraid, a jump directly to 1.1.0 would remove much more
    >> because the breakages were wider when we integrated it.  Anyway, those
    >> cleanups are part of 0003.  I thought that this would have resulted in
    >> more cleanup :(
    
    > While expected, it's still disappointing.  Until we can drop 1.0.2 there isn't
    > too much to gain, and that will likely be reasonably far into the future given
    > that it's the final version that can run the FIPS module.
    
    Yeah; also as mentioned in the other thread, 1.0.1 is still in use
    in RHEL 6, so it's hard to consider dropping that for at least another
    year.  I concur with the conclusion that we can stop worrying about
    NetBSD 5, though.
    
    I see nothing to object to in this patch set.
    
    			regards, tom lane
    
    
    
    
  4. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2019-12-06T01:33:23Z

    On Thu, Dec 05, 2019 at 10:38:55AM -0500, Tom Lane wrote:
    > Yeah; also as mentioned in the other thread, 1.0.1 is still in use
    > in RHEL 6, so it's hard to consider dropping that for at least another
    > year.  I concur with the conclusion that we can stop worrying about
    > NetBSD 5, though.
    
    Thanks.  Another argument in favor of dropping 1.0.0 and 0.9.8 is that
    it is a pain to check an OpenSSL patch across that many versions,
    multiplied by the number of Postgres branches in need of patching :)
    
    > I see nothing to object to in this patch set.
    
    I have applied 0001 on HEAD for now as that's a simple cleanup (I
    would not backpatch that though).  For 0002, I would prefer be sure
    that we reach the right conclusion.  My take is to:
    1) Apply 0002 only on HEAD to remove the check for clear_options.
    2) Apply something like Daniel's patch in [1] for REL_12_STABLE and
    REL_11_STABLE as we care about this routine since e3bdb2d to not mess
    up with past versions of NetBSD which worked previously on our
    released branches.  (The patch looks fine at quick glance and I
    haven't tested it yet)
    
    [1]: https://www.postgresql.org/message-id/3C636E88-44C7-40C6-ABA3-1B236E0A74DE@yesql.se
    --
    Michael
    
  5. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2019-12-06T06:22:42Z

    On Fri, Dec 06, 2019 at 10:33:23AM +0900, Michael Paquier wrote:
    > Thanks.  Another argument in favor of dropping 1.0.0 and 0.9.8 is that
    > it is a pain to check an OpenSSL patch across that many versions,
    > multiplied by the number of Postgres branches in need of patching :)
    
    I have done nothing for 0003 yet.  Let's wait a bit and see if others
    have more arguments in favor of it or not.
    
    > I have applied 0001 on HEAD for now as that's a simple cleanup (I
    > would not backpatch that though).  For 0002, I would prefer be sure
    > that we reach the right conclusion.  My take is to:
    > 1) Apply 0002 only on HEAD to remove the check for clear_options.
    > 2) Apply something like Daniel's patch in [1] for REL_12_STABLE and
    > REL_11_STABLE as we care about this routine since e3bdb2d to not mess
    > up with past versions of NetBSD which worked previously on our
    > released branches.  (The patch looks fine at quick glance and I
    > haven't tested it yet)
    
    0002 is now applied, and did things as described in the above
    paragraph.
    --
    Michael
    
  6. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Daniel Gustafsson <daniel@yesql.se> — 2019-12-06T08:21:55Z

    > On 6 Dec 2019, at 02:33, Michael Paquier <michael@paquier.xyz> wrote:
    
    > Another argument in favor of dropping 1.0.0 and 0.9.8 is that
    > it is a pain to check an OpenSSL patch across that many versions,
    > multiplied by the number of Postgres branches in need of patching :)
    
    That is indeed a very good argument.
    
    cheers ./daniel
    
    
    
    
  7. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2020-01-02T13:56:59Z

    On Fri, Dec 06, 2019 at 09:21:55AM +0100, Daniel Gustafsson wrote:
    > On 6 Dec 2019, at 02:33, Michael Paquier <michael@paquier.xyz> wrote:
    >> Another argument in favor of dropping 1.0.0 and 0.9.8 is that
    >> it is a pain to check an OpenSSL patch across that many versions,
    >> multiplied by the number of Postgres branches in need of patching :)
    > 
    > That is indeed a very good argument.
    
    Sorry for letting this thread down for a couple of weeks, but I was
    hesitating to apply the last patch of the series as the cleanup of the
    code related to OpenSSL 0.9.8 and 1.0.0 is not that much.  An extra
    argument in favor of the removal is that this can allow more shaving
    of past Python versions, as proposed by Peter here:
    https://www.postgresql.org/message-id/98b69261-298c-13d2-f34d-836fd9c29b21@2ndquadrant.com
    
    So, let's do it.  I don't think that I'll be able to do anything this
    week about it, but that should be fine by the end of next week.  Are
    there any objections or comments?
    
    For now, please note that I have added an entry in the CF app:
    https://commitfest.postgresql.org/26/2413/
    --
    Michael
    
  8. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Tom Lane <tgl@sss.pgh.pa.us> — 2020-01-02T14:22:47Z

    Michael Paquier <michael@paquier.xyz> writes:
    > Sorry for letting this thread down for a couple of weeks, but I was
    > hesitating to apply the last patch of the series as the cleanup of the
    > code related to OpenSSL 0.9.8 and 1.0.0 is not that much.  An extra
    > argument in favor of the removal is that this can allow more shaving
    > of past Python versions, as proposed by Peter here:
    > https://www.postgresql.org/message-id/98b69261-298c-13d2-f34d-836fd9c29b21@2ndquadrant.com
    
    > So, let's do it.
    
    FWIW, I'm not sure I see why there's a connection between moving up
    the minimum Python version and minimum OpenSSL version.  Nobody is
    installing bleeding-edge Postgres on RHEL5, not even me ;-), so I
    don't especially buy Peter's line of reasoning.
    
    I'm perfectly okay with doing both things in HEAD, I just don't
    see that doing one is an argument for or against doing the other.
    
    			regards, tom lane
    
    
    
    
  9. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Tom Lane <tgl@sss.pgh.pa.us> — 2020-01-02T14:30:42Z

    Michael Paquier <michael@paquier.xyz> writes:
    > For now, please note that I have added an entry in the CF app:
    > https://commitfest.postgresql.org/26/2413/
    
    BTW, the referenced patch only removes the configure check for
    SSL_get_current_compression, which is fine, but is that even
    moving any goalposts?  The proposed commit message says the
    function exists down to 0.9.8, which is already our minimum.
    There's nothing to debate here if that statement is accurate.
    
    			regards, tom lane
    
    
    
    
  10. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2020-01-03T02:33:59Z

    On Thu, Jan 02, 2020 at 09:30:42AM -0500, Tom Lane wrote:
    > BTW, the referenced patch only removes the configure check for
    > SSL_get_current_compression, which is fine, but is that even
    > moving any goalposts?  The proposed commit message says the
    > function exists down to 0.9.8, which is already our minimum.
    > There's nothing to debate here if that statement is accurate.
    
    Oops, sorry for the confusion.  There are three patches in the set.
    0001 has been already applied as of 28f4bba, and 0002 as of 7d0bcb0
    (backpatched with a different fix from Daniel to allow the build to
    still work).  The actual patch I am proposing to finish merging is
    0003 as posted here, which is the remaining piece:
    https://www.postgresql.org/message-id/20191205083252.GE5064@paquier.xyz
    --
    Michael
    
  11. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Tom Lane <tgl@sss.pgh.pa.us> — 2020-01-03T04:45:37Z

    Michael Paquier <michael@paquier.xyz> writes:
    > On Thu, Jan 02, 2020 at 09:30:42AM -0500, Tom Lane wrote:
    >> BTW, the referenced patch only removes the configure check for
    >> SSL_get_current_compression
    
    > The actual patch I am proposing to finish merging is
    > 0003 as posted here, which is the remaining piece:
    > https://www.postgresql.org/message-id/20191205083252.GE5064@paquier.xyz
    
    Ah.  The CF app doesn't understand that (and hence the cfbot ditto),
    so you might want to repost just the currently-proposed patch to get
    the cfbot to try it.
    
    			regards, tom lane
    
    
    
    
  12. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2020-01-03T06:49:17Z

    On Thu, Jan 02, 2020 at 11:45:37PM -0500, Tom Lane wrote:
    > Ah.  The CF app doesn't understand that (and hence the cfbot ditto),
    > so you might want to repost just the currently-proposed patch to get
    > the cfbot to try it.
    
    Yes, let's do that.  Here you go with a v2.  While on it, I have
    noticed in the docs a mention to OpenSSL 1.0.0 regarding our
    sslcompression parameter in libpq, so a paragraph can be removed.
    --
    Michael
    
  13. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Daniel Gustafsson <daniel@yesql.se> — 2020-01-03T21:57:54Z

    > On 3 Jan 2020, at 07:49, Michael Paquier <michael@paquier.xyz> wrote:
    > 
    > On Thu, Jan 02, 2020 at 11:45:37PM -0500, Tom Lane wrote:
    >> Ah.  The CF app doesn't understand that (and hence the cfbot ditto),
    >> so you might want to repost just the currently-proposed patch to get
    >> the cfbot to try it.
    > 
    > Yes, let's do that.  Here you go with a v2.  While on it, I have
    > noticed in the docs a mention to OpenSSL 1.0.0 regarding our
    > sslcompression parameter in libpq, so a paragraph can be removed.
    
    LGTM, switching to ready for committer.
    
    cheers ./daniel
    
    
    
    
  14. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2020-01-06T02:17:03Z

    On Thu, Jan 02, 2020 at 09:22:47AM -0500, Tom Lane wrote:
    > FWIW, I'm not sure I see why there's a connection between moving up
    > the minimum Python version and minimum OpenSSL version.  Nobody is
    > installing bleeding-edge Postgres on RHEL5, not even me ;-), so I
    > don't especially buy Peter's line of reasoning.
    
    It seems to me that the line of reasoning was to consider RHEL5 in the
    garbage for all our dependencies, in a consistent way.
    
    > I'm perfectly okay with doing both things in HEAD, I just don't
    > see that doing one is an argument for or against doing the other.
    
    Yes, right.  That would be the case if we had direct dependencies
    between both, but that has never been the case AFAIK.
    --
    Michael
    
  15. Re: Removal of support for OpenSSL 0.9.8 and 1.0.0

    Michael Paquier <michael@paquier.xyz> — 2020-01-06T03:54:52Z

    On Fri, Jan 03, 2020 at 10:57:54PM +0100, Daniel Gustafsson wrote:
    > LGTM, switching to ready for committer.
    
    Thanks Daniel.  I have looked at that stuff again, and committed the
    patch.
    --
    Michael