Re: OpenSSL 3.0.0 compatibility

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>, Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-06-01T08:33:12Z
Lists: pgsql-hackers
On 2020-05-30 14:34, Andrew Dunstan wrote:
> 
> On 5/28/20 6:16 PM, Daniel Gustafsson wrote:
>>
>> OpenSSL also deprecates DES keys in 3.0.0, which cause our password callback
>> tests to fail with the cryptic error "fetch failed", as the test suite keys are
>> encrypted with DES.  0002 fixes this by changing to AES256 (randomly chosen
>> among the ciphers supported in 1.0.1+ and likely to be around), and could be
>> applied already today as there is nothing 3.0.0 specific about it.
>>
> 
> +1 for applying this forthwith. The key in my recent commit 896fcdb230
> is encrypted with AES256.

I don't see anything in that commit about how to regenerate those files, 
such as a makefile rule.  Is that missing?

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Commits

  1. Define OPENSSL_API_COMPAT

  2. Add alternative output for OpenSSL 3 without legacy loaded

  3. Disable OpenSSL EVP digest padding in pgcrypto

  4. pgcrypto: Check for error return of px_cipher_decrypt()

  5. OpenSSL 3.0.0 compatibility in tests

  6. Make ssl certificate for ssl_passphrase_callback test via Makefile

  7. Provide a TLS init hook