Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Daniel Gustafsson <daniel@yesql.se>, Michael Paquier <michael@paquier.xyz>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-09-10T08:01:22Z
Lists: pgsql-hackers

Attachments

On 02.09.24 14:26, Daniel Gustafsson wrote:
>> On 2 Sep 2024, at 10:03, Daniel Gustafsson <daniel@yesql.se> wrote:
>>
>>> On 23 Aug 2024, at 01:56, Michael Paquier <michael@paquier.xyz> wrote:
>>>
>>> On Thu, Aug 22, 2024 at 11:13:15PM +0200, Daniel Gustafsson wrote:
>>>> On 22 Aug 2024, at 02:31, Michael Paquier <michael@paquier.xyz> wrote:
>>>>> Just do it :)
>>>>
>>>> That's my plan, I wanted to wait a bit to see if anyone else chimed in with
>>>> concerns.
>>>
>>> Cool, thanks!
>>
>> Attached is a rebased v15 (only changes are commit-message changes noted by
>> Peter upthread) for the sake of archives, and for a green-check run in the
>> CFBot.  Assuming this builds green I intend to push this.
> 
> And pushed.  All BF owners with animals using 1.0.2 have been notified but not
> all have been updated (or modified to skip SSL) so there will be some failing.

A small follow-up for this:  With the current minimum OpenSSL version 
being 1.1.0, we can remove an unconstify() call; see attached patch.

See this OpenSSL commit: 
<https://github.com/openssl/openssl/commit/8ab31975ba>.  The analogous 
LibreSSL change is here: 
<https://cvsweb.openbsd.org/src/lib/libcrypto/bio/bss_mem.c?rev=1.17&content-type=text/x-cvsweb-markup>. 
  I don't know if we have a concrete minimum LibreSSL version, but the 
change is about as old as the OpenSSL change.

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Remove obsolete unconstify()

  2. Only perform pg_strong_random init when required

  3. Remove support for OpenSSL older than 1.1.0

  4. Support SSL_R_VERSION_TOO_LOW when using LibreSSL

  5. Support disallowing SSL renegotiation when using LibreSSL

  6. Doc: Use past tense for things which happened in the past

  7. Remove support for OpenSSL 1.0.1

  8. Remove support for OpenSSL 0.9.8 and 1.0.0