Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: Peter Eisentraut <peter@eisentraut.org>, Jacob Champion <jacob.champion@enterprisedb.com>, Thomas Munro <thomas.munro@gmail.com>, Postgres hackers <pgsql-hackers@lists.postgresql.org>, mikael.kjellstrom@gmail.com, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2024-04-15T09:07:05Z
Lists: pgsql-hackers

Attachments

> On 15 Apr 2024, at 07:04, Michael Paquier <michael@paquier.xyz> wrote:
> On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote:

>> Is the attached split in line with how you were thinking about it?
> 
> If I may, 0001 looks sensible here.  The bits from 0003 and 0004 could
> be applied before 0002, as well.

Agreed, once we are in post-freeze I think those three are mostly ready to go.

> - /* do post-fork initialization for random number generation */
> - pg_strong_random_init();
> 
> Perhaps you intented this diff to be in 0005 rather than in 0002?
> With 0002 applied, only support for 1.0.2 is removed, not 1.1.0 yet.

Yes, nice catch, that was a mistake in splitting up the patch into multiple
pieces, it should be in the 0005 patch for strong random. Fixed.

> s/requred/required/.

Fixed.

> Rather than calling always RAND_poll(), this
> could use a static flag to call it only once when pg_strong_random is
> called for the first time.

Agreed, we can good that. Fixed.

> I would not mind seeing this part entirely
> gone with the removal of support for 1.1.0.

If we want to keep autoconf from checking versions and just check compatibility
(with our code) then we will remain at 1.1.0 compatibility.  The only 1.1.1 API
we use is not present in LibreSSL so we can't really place a hard restriction
on that.  It might be that keeping it for now, and removing it later during the
v18 cycle as we modernize our OpenSSL code (which I hope to find time to work
on) and make use of newer 1.1.1 API:s.  That way we can keep our autoconf/meson
checks consistent across library checks.  If we end up with no new API:s to
check for by the time the last commitfest of v18 rolls around, we can revisit
the decision then.

--
Daniel Gustafsson

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Remove obsolete unconstify()

  2. Only perform pg_strong_random init when required

  3. Remove support for OpenSSL older than 1.1.0

  4. Support SSL_R_VERSION_TOO_LOW when using LibreSSL

  5. Support disallowing SSL renegotiation when using LibreSSL

  6. Doc: Use past tense for things which happened in the past

  7. Remove support for OpenSSL 1.0.1

  8. Remove support for OpenSSL 0.9.8 and 1.0.0