Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Daniel Gustafsson <daniel@yesql.se>, Michael Paquier <michael@paquier.xyz>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
Thomas Munro <thomas.munro@gmail.com>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
mikael.kjellstrom@gmail.com, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2024-04-18T10:53:43Z
Lists: pgsql-hackers
On 16.04.24 10:17, Daniel Gustafsson wrote:
> I forgot (and didn't check) that we backpatched 01e6f1a842f4, with that in mind
> I agree that we should backpatch 0003 as well to put LibreSSL on par as much as
> we can. 0004 is a fix for the LibreSSL support, not adding anything new, so
> pushing that to master now makes sense. Unless objections are raised I'll push
> 0001, 0003 and 0004 shortly. 0002 and 0005 can hopefully be addressed in the
> July commitfest.
Review of the latest batch:
* v9-0001-Doc-Use-past-tense-for-things-which-happened-in-t.patch
Ok
8 v9-0002-Remove-support-for-OpenSSL-1.0.2.patch
Ok, but maybe make the punctuation consistent here:
+ # Function introduced in OpenSSL 1.0.2, not in LibreSSL.
+ ['SSL_CTX_set_cert_cb'],
+
+ # Function introduced in OpenSSL 1.1.1, not in LibreSSL
['X509_get_signature_info'],
* v9-0003-Support-disallowing-SSL-renegotiation-in-LibreSSL.patch
ok
* v9-0004-Support-SSL_R_VERSION_TOO_LOW-on-LibreSSL.patch
Seems ok, but the reason isn't clear to me. Are there LibreSSL versions
that have SSL_R_VERSION_TOO_LOW but not SSL_R_VERSION_TOO_HIGH? Maybe
this could be explained better.
Also, "OpenSSL 7.2" in the commit message probably meant "OpenBSD"?
* v9-0005-Remove-pg_strong_random-initialization.patch
I don't understand the reason for this phrase in the commit message:
"1.1.1 is being increasingly phased out from production use". Did you
mean 1.1.0 there?
Conditionally sticking the RAND_poll() into pg_strong_random(), does
that have the effect we want? It wouldn't reinitialize after a fork,
AFAICT.
If everything is addressed, I agree that 0001, 0003, and 0004 can go
into PG17, the rest later.
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove obsolete unconstify()
- 1fb2308e698e 18.0 landed
-
Only perform pg_strong_random init when required
- c3333dbc0c0f 18.0 landed
-
Remove support for OpenSSL older than 1.1.0
- a70e01d4306f 18.0 landed
-
Support SSL_R_VERSION_TOO_LOW when using LibreSSL
- d80f2ce29465 17.0 landed
-
Support disallowing SSL renegotiation when using LibreSSL
- 44e27f0a6d07 17.0 landed
-
Doc: Use past tense for things which happened in the past
- 91d6429fad55 17.0 landed
-
Remove support for OpenSSL 1.0.1
- 8e278b657664 17.0 landed
-
Remove support for OpenSSL 0.9.8 and 1.0.0
- 7b283d0e1d1d 13.0 cited