Re: disabled SSL log_like tests
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Thomas Munro <thomas.munro@gmail.com>,
Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-05-07T17:53:38Z
Lists: pgsql-hackers
> On 7 May 2025, at 18:04, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Daniel Gustafsson <daniel@yesql.se> writes: >>> On 7 May 2025, at 06:34, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> I couldn't help noticing that the backtraces went through >>> lib/libssl/tls13_legacy.c, which doesn't give a warm feeling >>> about how supported they think our usage is (and perhaps also >>> explains why they didn't detect this bug themselves). > >> Since we no longer support 1.0.2 we can apply something like the (lightly >> tested) attached which should be a no-op as we already use TLS_method() but via >> an alias. > > Yeah, I saw that SSLv23_method() was merely an alias for TLS_method() > in LibreSSL as well. That means unfortunately that your proposal is > just cosmetic and doesn't get us out of using code that they're > calling "legacy". I wonder what it would take to get to the "modern" > code paths. AFAICT (it's not documented what I can see) the Libressl folks consider code inherited from OpenSSL legacy. Using current OpenSSL API's and moving away from deprecated API's is probably our best bet. On that note, TLS_method is the current API to use in both OpenSSL and Libressl according to their respective documentations. A separate be-secure-libressl.c could move to use their libtls instead of the libssl OpenSSL compatibility library, which may be an interesting excercise but a very different project from what is discussed here. -- Daniel Gustafsson
Commits
-
Skip RSA-PSS ssl test when using LibreSSL.
- cad781b3e5de 16.10 landed
- 95129709fd9b 18.0 landed
- 793aa989f8e4 15.14 landed
- 3007fee7f292 17.6 landed
-
Ooops ... add required configure support.
- 00811a96ac45 15.14 landed
-
Hack one ssl test case to pass with current LibreSSL.
- 75d73331d014 18.0 landed
-
Centralize ssl tests' check for whether we're using LibreSSL.
- 976a8c2170f1 17.6 landed
- 27fbf7cb6391 16.10 landed
- 1ddb9e14eadf 15.14 landed
- 0aaf69965dbd 18.0 landed
-
Re-enable SSL connect_fails tests, and fix related race conditions.
- e0f373ee42a4 18.0 landed
-
Disable unstable test cases in src/test/ssl/t/001_ssltests.pl.
- 55828a6b6084 16.0 cited