Re: Update minimum SSL version

Magnus Hagander <magnus@hagander.net>

From: Magnus Hagander <magnus@hagander.net>
To: Michael Paquier <michael@paquier.xyz>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, Daniel Gustafsson <daniel@yesql.se>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2019-12-03T09:10:57Z
Lists: pgsql-hackers
On Tue, Dec 3, 2019 at 4:53 AM Michael Paquier <michael@paquier.xyz> wrote:

> On Mon, Dec 02, 2019 at 12:51:26PM -0500, Tom Lane wrote:
> > Yah.  Although, looking at the code in be-secure-openssl.c,
> > it doesn't look that hard to do in an extensible way.
> > Something like (untested)
>
> While we are on the topic...  Here is another wild idea.  We discussed
> not so long ago about removing support for OpenSSL 0.9.8 from the
> tree.  What if we removed support for 1.0.0 and 0.9.8 for 13~.  This
> would solve a couple of compatibility headaches, and we have TLSv1.2
> support automatically for all the versions supported.  Note that 1.0.0
> has been retired by upstream in February 2014.
>

Is 1.0.1 considered a separate major from 1.0.0, in this reasoning? Because
while retiring 1.0.0 should probably not be that terrible, 1.0.1 is still
in very widespread use on most long term supported distributions.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/ <http://www.hagander.net/>
 Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Commits

  1. Fix handling of OpenSSL's SSL_clear_options

  2. Remove configure check for OpenSSL's SSL_get_current_compression()

  3. Update minimum SSL version