Re: OpenSSL 3.0.0 compatibility

Peter Eisentraut <peter.eisentraut@enterprisedb.com>

From: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Michael Paquier <michael@paquier.xyz>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-08-06T18:41:22Z
Lists: pgsql-hackers
On 20.07.21 01:23, Daniel Gustafsson wrote:
>> So I think your proposed patch is sound and a good short-term and low-risk solution
> The attached 0001 disables the padding.  I've tested this with OpenSSL 1.0.1,
> 1.0.2, 1.1.1 and Git HEAD at e278127cbfa2709d.
> 
> Another aspect of OpenSSL 3 compatibility is that of legacy cipher support, and
> as we concluded upthread it's best to leave that to the user to define in
> openssl.cnf.  The attached 0002 adds alternative output files for 3.0.0
> installations without the legacy provider loaded, as well as adds a note in the
> pgcrypto docs to enable it in case DES is needed.  It does annoy me a bit that
> we don't load the openssl.cnf file for 1.0.1 if we start mentioning it in the
> docs for other versions, but it's probably not worth the effort to fix it given
> the lack of complaints so far (it needs a call to OPENSSL_config(NULL); guarded
> to HAVE_ macros for 1.0.1).

Are you going to commit these?



Commits

  1. Define OPENSSL_API_COMPAT

  2. Add alternative output for OpenSSL 3 without legacy loaded

  3. Disable OpenSSL EVP digest padding in pgcrypto

  4. pgcrypto: Check for error return of px_cipher_decrypt()

  5. OpenSSL 3.0.0 compatibility in tests

  6. Make ssl certificate for ssl_passphrase_callback test via Makefile

  7. Provide a TLS init hook