Re: OpenSSL 3.0.0 compatibility
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-09-23T08:17:00Z
Lists: pgsql-hackers
On Mon, Sep 21, 2020 at 08:18:42PM +0200, Daniel Gustafsson wrote: > I'm far from fluent in OpenSSL, but AFAICT it has to do with the new provider > API. The default value for padding is unchanged, but it needs to be propaged > into the provider to be set in the context where the old code picked it up > automatically. The relevant OpenSSL commit (83f68df32f0067ee7b0) which changes > the docs to say the function should be called doesn't contain enough > information to explain why. Hmm. Perhaps we should consider making this part conditional on 3.0.0? But I don't see an actual reason why we cannot do it unconditionally either. This needs careful testing for sure. > Turns out it was coming from when I tested against OpenSSL git HEAD, so it may > come in alpha7 (or whatever the next version will be). Let's disregard this > for now until dust settles, I've dropped the patch from the series. Yeah. I have just tried that on the latest HEAD at e771249 and I could reproduce what you saw. It smells to me like a regression introduced by upstream, as per 9a30f40c and c2150f7. I'd rather wait for 3.0.0 to be GA before concluding here. If it proves to be reproducible with their golden version as a bug (or even not as a bug), we will need to have a workaround in any case. -- Michael
Commits
-
Define OPENSSL_API_COMPAT
- 96f96398d398 11.21 landed
- 265c9138da58 12.16 landed
- 8aa9a26236aa 13.12 landed
- 4d3db13621be 14.0 landed
-
Add alternative output for OpenSSL 3 without legacy loaded
- eb643536b9f1 10.19 landed
- 8e7199453bf9 13.5 landed
- 7b6ce36fbab5 12.9 landed
- 6d0001aabf2a 14.0 landed
- 19e91a40bf26 11.14 landed
- 72bbff4cd6ea 15.0 landed
-
Disable OpenSSL EVP digest padding in pgcrypto
- e802b594e794 10.19 landed
- 4fa2b15e1c9c 14.0 landed
- 135d8687adf1 13.5 landed
- 11901cd9628b 11.14 landed
- 00c72da4a22d 12.9 landed
- 318df8023559 15.0 landed
-
pgcrypto: Check for error return of px_cipher_decrypt()
- a69e1506f618 13.5 landed
- 90cfd269f226 12.9 landed
- 841075a65cdc 10.19 landed
- 0f28d267c7e0 11.14 landed
- 22e1943f13b6 14.0 landed
-
OpenSSL 3.0.0 compatibility in tests
- f0d2c65f17ca 13.0 landed
-
Make ssl certificate for ssl_passphrase_callback test via Makefile
- b846091fd0a7 13.0 landed
-
Provide a TLS init hook
- 896fcdb230e7 13.0 cited