Re: OpenSSL 1.1 breaks configure and more

Andreas Karlsson <andreas@proxel.se>

From: Andreas Karlsson <andreas@proxel.se>
To: Heikki Linnakangas <hlinnaka@iki.fi>, Victor Wagner <vitus@wagner.pp.ru>, pgsql-hackers@postgresql.org, Christoph Berg <myon@debian.org>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2016-09-15T00:16:27Z
Lists: pgsql-hackers
On 09/15/2016 02:03 AM, Andreas Karlsson wrote:
> On 09/12/2016 06:51 PM, Heikki Linnakangas wrote:
>> Changes since last version:
>>
>> * Added more error checks to the my_BIO_s_socket() function. Check for
>> NULL result from malloc(). Check the return code of BIO_meth_set_*()
>> functions; looking at OpenSSL sources, they always succeed, but all the
>> test/example programs that come with OpenSSL do check them.
>>
>> * Use BIO_get_new_index() to get the index number for the wrapper BIO.
>>
>> * Also call BIO_meth_set_puts(). It was missing in previous patch
>> versions.
>>
>> * Fixed src/test/ssl test suite to also work with OpenSSL 1.1.0.
>>
>> * Changed all references (in existing code) to SSLEAY_VERSION_NUMBER
>> into OPENSSL_VERSION_NUMBER, for consistency.
>>
>> * Squashed all into one patch.
>>
>> I intend to apply this to all supported branches, so please have a look!
>> This is now against REL9_6_STABLE, but there should be little difference
>> between branches in the code that this touches.
>
> This patch no longer seems to apply to head after the removed support of
> 0.9.6. Is that intentional?

Never mind. I just failed at reading.

Now for a review:

It looks generally good but I think I saw one error. In 
fe-secure-openssl.c your code still calls SSL_library_init() in OpenSSL 
1.1. I think it should be enough to just call 
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) like you do in be-secure.

Andreas


Commits

  1. Back-patch 9.4-era SSL renegotiation code into 9.3 and 9.2.