Re: Retire support for OpenSSL 1.1.1 due to raised API requirements

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-09-09T21:29:09Z
Lists: pgsql-hackers
> On 9 Sep 2024, at 16:48, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Daniel Gustafsson <daniel@yesql.se> writes:
>> The patchset in https://commitfest.postgresql.org/49/5025/ which adds support
>> for configuring cipher suites in TLS 1.3 handshakes require an API available in
>> OpenSSL 1.1.1 and onwards.  With that as motivation I'd like to propose that we
>> remove support for OpenSSL 1.1.0 and set the minimum required version to 1.1.1.
>> OpenSSL 1.1.0 was EOL in September 2019 and was never an LTS version, so it's
>> not packaged in anything anymore AFAICT and should be very rare in production
>> use in conjunction with an updated postgres.  1.1.1 LTS will be 2 years EOL by
>> the time v18 ships so I doubt this will be all that controversial.
> 
> Yeah ... the alternative would be to conditionally compile the new
> functionality.  That doesn't seem like a productive use of developer
> time if it's supporting just one version that should be extinct in
> the wild by now.

Agreed.  OpenSSL 1.1.1 is very different story and I suspect we'll be stuck on
that level for some time, but 1.1.0 is gone from production use.

--
Daniel Gustafsson




Commits

  1. Raise the minimum supported OpenSSL version to 1.1.1

  2. Remove support for OpenSSL older than 1.1.0