Thread
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-07T13:44:45Z
> On 17 Apr 2026, at 23:50, Michael Paquier <michael@paquier.xyz> wrote: > > On Thu, Apr 16, 2026 at 03:32:54PM +0200, Daniel Gustafsson wrote: >> The attached patch, while not pretty, allows libpq and sslinfo to build without >> warnings on OpenSSL 1.1.1 through 4.0.0 as well as on LibreSSL (and there is >> quite some variability in constness across all these API versions). > > Thanks for that. That is super fast. > > This is likely going to require a backpatch at some point, right? > What's the impact of the blast in branches where we need to support > OpenSSL down to 1.0.1, which is the minimum version in REL_14_STABLE? Indeed, we probably want to backpatch this at some point since OpenSSL 4 is equally likely to be used regardless of which branch users compile. Whether we want to apply this already before 19 goes beta I'll leave for the RMT to decide. For 14 through master the attached compiles without warnings and tests green on all the supported versions of OpenSSL and LibreSSL. That being said, I'm not sure that we want to go all the way to 14 since if something does break, we can't really go around fixing it - I think amending the docs in 14 stating that OpenSSL 3.6 is the highest supported version is a better solution. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Cary Huang <cary.huang@highgo.ca> — 2026-05-07T19:32:51Z
Hi I tried the patch and Postgres and sslinfo compiled with no warnings as expected. However, in OpenSSL 4.0, I noticed that it reports certificate revocation errors differently from previous versions, causing the SSL tests to fail. The test expects "ssl alert certificate revoked", but OpenSSL 4.0 returns "tls alert certificate revoked" instead. I made a patch to make the ssl tests compatible with OpenSSL 4.0 as well. thanks! Cary Huang ------------- HighGo Software Inc. (Canada) cary.huang@highgo.ca www.highgo.ca
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-07T19:39:44Z
> On 7 May 2026, at 21:32, Cary Huang <cary.huang@highgo.ca> wrote: > I tried the patch and Postgres and sslinfo compiled with no warnings as > expected. Thanks for looking! > However, in OpenSSL 4.0, I noticed that it reports certificate revocation > errors differently from previous versions, causing the SSL tests to fail. > The test expects "ssl alert certificate revoked", but OpenSSL 4.0 returns > "tls alert certificate revoked" instead. Which version of the patch did you try? I thought I had fixed that in the patchset I posted earlier today but perhaps I missed some parts. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-07T19:51:50Z
> On 7 May 2026, at 15:44, Daniel Gustafsson <daniel@yesql.se> wrote: > For 14 through master the attached compiles without warnings and tests green on > all the supported versions of OpenSSL and LibreSSL. On the topic of supported OpenSSL versions. REL_14-REL_16 supports 1.0.1 (eol 9 years ago), REL_17 bumps that to 1.0.2 (eol 6 years ago) and starting with REL_18 we require 1.1.1 (eol ~2.5 years ago). By the time we ship REL_19, 3.4 has a few weeks left in support and before 19.1 ships, 3.5 will be the oldest non-EOL version of OpenSSL. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Michael Paquier <michael@paquier.xyz> — 2026-05-07T22:13:05Z
On Thu, May 07, 2026 at 03:44:45PM +0200, Daniel Gustafsson wrote: > For 14 through master the attached compiles without warnings and tests green on > all the supported versions of OpenSSL and LibreSSL. That being said, I'm not > sure that we want to go all the way to 14 since if something does break, we > can't really go around fixing it - I think amending the docs in 14 stating that > OpenSSL 3.6 is the highest supported version is a better solution. One issue with this approach is that any builds on these branches (say REL_14_STABLE + OpenSSL 1.0.1) would be forced to either upgrade OpenSSL to at least 3.6 for a minor Postgres update or give up on any fix we can put on the 14 stable branch for six more months. None of these solutions are cool. -- Michael
-
Re: PostgreSQL and OpenSSL 4.0.0
Tom Lane <tgl@sss.pgh.pa.us> — 2026-05-07T22:22:14Z
Michael Paquier <michael@paquier.xyz> writes: > On Thu, May 07, 2026 at 03:44:45PM +0200, Daniel Gustafsson wrote: >> For 14 through master the attached compiles without warnings and tests green on >> all the supported versions of OpenSSL and LibreSSL. That being said, I'm not >> sure that we want to go all the way to 14 since if something does break, we >> can't really go around fixing it - I think amending the docs in 14 stating that >> OpenSSL 3.6 is the highest supported version is a better solution. > One issue with this approach is that any builds on these branches (say > REL_14_STABLE + OpenSSL 1.0.1) would be forced to either upgrade > OpenSSL to at least 3.6 for a minor Postgres update or give up on any > fix we can put on the 14 stable branch for six more months. None of > these solutions are cool. With one eye on the calendar, I think the right way to proceed is to push this to all branches (including 14) soon after next week's releases. I feel this is too high-risk to shove in just before a release, but shortly after one is ideal since we'll have 3 months to find out any problems. I would support omitting 14 if we were down to just one remaining release for it, but we'll have 2 (August and November). So there will still be an opportunity to fix things if there's an issue that manages to escape notice until after the August releases. regards, tom lane
-
Re: PostgreSQL and OpenSSL 4.0.0
Cary Huang <cary.huang@highgo.ca> — 2026-05-07T22:54:24Z
Hi > Which version of the patch did you try? I thought I had fixed that in the > patchset I posted earlier today but perhaps I missed some parts. I tried the very first patch you shared. I see that the ssl test errors have been addressed by the patches you shared after. So it is all good. I'll try testing other test cases that may have used OpenSSL APIs. thanks! Cary Huang ------------- HighGo Software Inc. (Canada) cary.huang@highgo.ca www.highgo.ca
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-08T07:07:41Z
> On 8 May 2026, at 00:22, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Michael Paquier <michael@paquier.xyz> writes: >> On Thu, May 07, 2026 at 03:44:45PM +0200, Daniel Gustafsson wrote: >>> For 14 through master the attached compiles without warnings and tests green on >>> all the supported versions of OpenSSL and LibreSSL. That being said, I'm not >>> sure that we want to go all the way to 14 since if something does break, we >>> can't really go around fixing it - I think amending the docs in 14 stating that >>> OpenSSL 3.6 is the highest supported version is a better solution. > >> One issue with this approach is that any builds on these branches (say >> REL_14_STABLE + OpenSSL 1.0.1) would be forced to either upgrade >> OpenSSL to at least 3.6 for a minor Postgres update or give up on any >> fix we can put on the 14 stable branch for six more months. None of >> these solutions are cool. Not sure I follow, anyone still building with a X years out of support OpenSSL will most likely keep doing so regardless of what CVE's are published. It could of course make backpatching trickier if thats what you mean? > With one eye on the calendar, I think the right way to proceed is to > push this to all branches (including 14) soon after next week's > releases. I feel this is too high-risk to shove in just before a > release, but shortly after one is ideal since we'll have 3 months to > find out any problems. > > I would support omitting 14 if we were down to just one remaining > release for it, but we'll have 2 (August and November). So there > will still be an opportunity to fix things if there's an issue > that manages to escape notice until after the August releases. Doh.. thanks. I was off-by-one and convinced myself we only have one more minor on 14. With two more scheduled I agree that we should go for OpenSSL 4 support in 14 as well. I'll re-test and prep all the branches with all the version of OpenSSL so that I can get this in shortly after the next weeks releases go out. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Michael Paquier <michael@paquier.xyz> — 2026-05-08T07:17:32Z
On Fri, May 08, 2026 at 09:07:41AM +0200, Daniel Gustafsson wrote: > Not sure I follow, anyone still building with a X years out of support OpenSSL > will most likely keep doing so regardless of what CVE's are published. It > could of course make backpatching trickier if thats what you mean? Argh. I've misread you here, reading a "lowest" rather than "highest". Documenting that 3.6 is the highest version support on 14-stable would also work here. My apologies for the confusion. If the patches for REL_14_STABLE to add support for 4.0 prove to be low-risk while messing with 1.0.1, that would the best course of action, of course. -- Michael
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-08T07:21:25Z
> On 8 May 2026, at 09:17, Michael Paquier <michael@paquier.xyz> wrote: > > On Fri, May 08, 2026 at 09:07:41AM +0200, Daniel Gustafsson wrote: >> Not sure I follow, anyone still building with a X years out of support OpenSSL >> will most likely keep doing so regardless of what CVE's are published. It >> could of course make backpatching trickier if thats what you mean? > > Argh. I've misread you here, reading a "lowest" rather than > "highest". Documenting that 3.6 is the highest version support on > 14-stable would also work here. My apologies for the confusion. Ah, now it makes more sense =) > If the patches for REL_14_STABLE to add support for 4.0 prove to be > low-risk while messing with 1.0.1, that would the best course of > action, of course. I think the changes are straightforward enough that we can go ahead with them. I'll re-test and re-post a new patchset for all branches once the minors ship. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-19T21:18:08Z
> On 8 May 2026, at 00:21, Daniel Gustafsson <daniel@yesql.se> wrote: > I think the changes are straightforward enough that we can go ahead with them. > I'll re-test and re-post a new patchset for all branches once the minors ship. Attached are rebased versions of this patchset for v14-master. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Michael Paquier <michael@paquier.xyz> — 2026-05-26T06:02:50Z
On Tue, May 19, 2026 at 02:18:08PM -0700, Daniel Gustafsson wrote: > > On 8 May 2026, at 00:21, Daniel Gustafsson <daniel@yesql.se> wrote: > > > I think the changes are straightforward enough that we can go ahead with them. > > I'll re-test and re-post a new patchset for all branches once the minors ship. > > Attached are rebased versions of this patchset for v14-master. I have a question here. Most of the changes relate to the use of const where the OpenSSL APIs require these to be so, but why is this a new requirement for 4.0? I can see that for most of the upstream routines, the const changes are much older, like in 8cc86b81ac20 for X509_NAME_get_text_by_NID() applying down to branch openssl-3.0. -- Michael
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-26T08:16:40Z
> On 26 May 2026, at 08:02, Michael Paquier <michael@paquier.xyz> wrote: > > On Tue, May 19, 2026 at 02:18:08PM -0700, Daniel Gustafsson wrote: >>> On 8 May 2026, at 00:21, Daniel Gustafsson <daniel@yesql.se> wrote: >> >>> I think the changes are straightforward enough that we can go ahead with them. >>> I'll re-test and re-post a new patchset for all branches once the minors ship. >> >> Attached are rebased versions of this patchset for v14-master. > > I have a question here. Most of the changes relate to the use of const > where the OpenSSL APIs require these to be so, but why is this a new > requirement for 4.0? I can see that for most of the upstream > routines, the const changes are much older, like in 8cc86b81ac20 for > X509_NAME_get_text_by_NID() applying down to branch openssl-3.0. It is very true that OpenSSL has been constifying the API over time, the change in 4.0 revolves around making more returnvalues const. In the case at hand, X509_get_subject_name() now returns a const X509_NAME pointer since commit b0f2107b4404. This wouldn't be a problem since X509_NAME_get_text_by_NID() does as you say take a const parameter, but since we have shoehorned LibreSSL support into the same file we are tied to the least common denominator and LibreSSL is far behind OpenSSL on constifying. So in this case, we need to unconstify() to keep LibreSSL compiling. I have plans for fixing this in v20 but for 14-19 there isn't much we can do except unconstifying. -- Daniel Gustafsson
-
Re: PostgreSQL and OpenSSL 4.0.0
Michael Paquier <michael@paquier.xyz> — 2026-05-27T00:06:01Z
On Tue, May 26, 2026 at 10:16:40AM +0200, Daniel Gustafsson wrote: > I have plans for fixing this in v20 but for 14-19 there isn't much we can do > except unconstifying. Indeed, no objections regarding that for the stable branches. For v20, it sounds to me that cutting through the set of versions of OpenSSL supported should make the situation much saner, even if the range of changes seems to be limited due to the LibreSSL story. -- Michael
-
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-27T10:47:32Z
> On 27 May 2026, at 02:06, Michael Paquier <michael@paquier.xyz> wrote: > > On Tue, May 26, 2026 at 10:16:40AM +0200, Daniel Gustafsson wrote: >> I have plans for fixing this in v20 but for 14-19 there isn't much we can do >> except unconstifying. > > Indeed, no objections regarding that for the stable branches. Thanks for confirming. I am currently re-testing all the combinations of stable postgres branches and supported OpenSSL and LibreSSL versions. > For v20, it sounds to me that cutting through the set of versions of > OpenSSL supported should make the situation much saner, even if the > range of changes seems to be limited due to the LibreSSL story. Not to thread-jack myself, but. I have a WIP patch for v20 which separates the code into {fe|be}-secure-openssl.c and {fe[be}-secure-libressl such that we can start modernizing our OpenSSL code without breaking LibreSSL or risk ending up with an impenetrable ifdef soup. Will share shortly to get a discussion going for how we want to deal with TLS support in 20 and onwards. -- Daniel Gustafsson -
Re: PostgreSQL and OpenSSL 4.0.0
Daniel Gustafsson <daniel@yesql.se> — 2026-05-29T20:05:56Z
> On 27 May 2026, at 12:47, Daniel Gustafsson <daniel@yesql.se> wrote: > >> On 27 May 2026, at 02:06, Michael Paquier <michael@paquier.xyz> wrote: >> >> On Tue, May 26, 2026 at 10:16:40AM +0200, Daniel Gustafsson wrote: >>> I have plans for fixing this in v20 but for 14-19 there isn't much we can do >>> except unconstifying. >> >> Indeed, no objections regarding that for the stable branches. > > Thanks for confirming. I am currently re-testing all the combinations of stable > postgres branches and supported OpenSSL and LibreSSL versions. While I had hoped to get it done sooner (sickness altered my plans), I just pushed this to master ahead of the beta1 deadline, and once it's been through some rounds of buildfarm compiles I'll backpatch to the stable branches. -- Daniel Gustafsson