Re: OpenSSL 1.1 breaks configure and more

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andreas Karlsson <andreas@proxel.se>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>, Christoph Berg <myon@debian.org>, Heikki Linnakangas <hlinnaka@iki.fi>, Michael Paquier <michael.paquier@gmail.com>, Victor Wagner <vitus@wagner.pp.ru>, pgsql-hackers@postgresql.org
Date: 2017-04-16T01:14:07Z
Lists: pgsql-hackers

Attachments

Andreas Karlsson <andreas@proxel.se> writes:
> On 09/15/2016 05:38 PM, Alvaro Herrera wrote:
>> I suppose some interested party could grab the patch that Heikki
>> committed to the new branches and produce a back-patch that can be
>> applied to the older branches.

> Here is the result of backporting the sum of the two patches on top of 
> REL9_4_STABLE. Not sure if we need this, but if we do we can apply this 
> patch.

I've pushed this into 9.4 with trivial corrections (fix merge failure
against a later patch, and sync the autoconf output files with the
actual contents of configure.in).  I've tested it locally against
openssl 1.0.1e and 1.1.0e, but not anything older.  What I did to test
was to copy the 9.5-branch src/test/ssl/ stuff into 9.4 and run it.
I saw failures on the tests for Subject Alternative Name, which is
unsurprising since we added that support as a feature in 9.5, but
everything else passed.  Unless the buildfarm turns up problems,
I think we're ok there.

I tried to push the code into 9.3, and saw the same problems Christoph
mentioned for 9.2: it compiles fine against 1.0.1e, but the references
to port->ssl->state don't work with 1.1.  The reason that's OK in 9.4
is not that we removed SSL negotiation; that didn't happen until 9.5.
Rather, it's because this 9.4 commit got rid of the bogus code:

Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
Branch: master Release: REL9_4_BR [31cf1a1a4] 2013-10-10 23:45:20 -0300

    Rework SSL renegotiation code

If we want to go any further back with 1.1 support, we have a range
of options:

1. Back-patch that patch, probably also including the followup adjustments
  in 86029b31e and 36a3be654.

2. Add #if's to use 31cf1a1a4's coding with OpenSSL >= 1.1, while keeping
   the older code for use when built against older OpenSSLs.

3. Conditionally disable renegotiation altogether with OpenSSL >= 1.1,
   thus adopting 9.5 not 9.4 behavior when using newer OpenSSL.

I think #3 would be fairly weird unless we also changed 9.4 similarly.
But there's some argument for doing that: we don't really have any field
experience with using renegotiation with OpenSSL 1.1, so we don't know
that what is in the 9.4 branch right now actually works with 1.1.
On the other hand, it would also be the most work of these options,
since we'd have to do things like adding conditional behavior in guc.c.

Thoughts?

For the archives' sake, attached is the 9.3-adapted version of the
patch so far.

			regards, tom lane

Commits

  1. Back-patch 9.4-era SSL renegotiation code into 9.3 and 9.2.