Re: OpenSSL 3.0.0 compatibility
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>,
Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
Tom Lane <tgl@sss.pgh.pa.us>
Date: 2021-09-22T08:06:26Z
Lists: pgsql-hackers
> On 22 Sep 2021, at 09:49, Michael Paquier <michael@paquier.xyz> wrote:
>
> On Tue, Sep 07, 2021 at 02:04:23PM +0200, Daniel Gustafsson wrote:
>> On 10 Aug 2021, at 15:27, Daniel Gustafsson <daniel@yesql.se> wrote:
>>
>>> These have now been committed, when OpenSSL 3.0.0 ships and there is coverage
>>> in the buildfarm I’ll revisit this for the backbranches.
>>
>> As an update to this, I’ve tested the tree frozen for the upcoming 3.0.0
>> release (scheduled for today AFAIK) and postgres still builds and tests clean
>> with the patches that were applied.
>
> I think that the time to do a backpatch of 318df8 has come. caiman,
> that runs Fedora 35, has just failed:
> https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=caiman&dt=2021-09-22%2006%3A28%3A00
>
> Here is a diff:
> @@ -8,168 +8,88 @@
> decode('0000000000000000', 'hex'),
> decode('0000000000000000', 'hex'),
> 'bf-ecb/pad:none'), 'hex');
> - encode
> -------------------
> - 4ef997456198dd78
> -(1 row)
> -
> +ERROR: encrypt error: Cipher cannot be initialized ?
That particular error stems from the legacy provider not being enabled in
openssl.cnf, so for this we need to backpatch 72bbff4cd as well.
> So the coverage is here. HEAD passes, not the stabele branches. At
> least for 14 it would be nice to do that before the release of next
> week.
Agreed, I will go ahead and prep backpatches for 318df8 and 72bbff4cd.
--
Daniel Gustafsson https://vmware.com/
Commits
-
Define OPENSSL_API_COMPAT
- 96f96398d398 11.21 landed
- 265c9138da58 12.16 landed
- 8aa9a26236aa 13.12 landed
- 4d3db13621be 14.0 landed
-
Add alternative output for OpenSSL 3 without legacy loaded
- eb643536b9f1 10.19 landed
- 8e7199453bf9 13.5 landed
- 7b6ce36fbab5 12.9 landed
- 6d0001aabf2a 14.0 landed
- 19e91a40bf26 11.14 landed
- 72bbff4cd6ea 15.0 landed
-
Disable OpenSSL EVP digest padding in pgcrypto
- e802b594e794 10.19 landed
- 4fa2b15e1c9c 14.0 landed
- 135d8687adf1 13.5 landed
- 11901cd9628b 11.14 landed
- 00c72da4a22d 12.9 landed
- 318df8023559 15.0 landed
-
pgcrypto: Check for error return of px_cipher_decrypt()
- a69e1506f618 13.5 landed
- 90cfd269f226 12.9 landed
- 841075a65cdc 10.19 landed
- 0f28d267c7e0 11.14 landed
- 22e1943f13b6 14.0 landed
-
OpenSSL 3.0.0 compatibility in tests
- f0d2c65f17ca 13.0 landed
-
Make ssl certificate for ssl_passphrase_callback test via Makefile
- b846091fd0a7 13.0 landed
-
Provide a TLS init hook
- 896fcdb230e7 13.0 cited