Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Thomas Munro <thomas.munro@gmail.com>, Michael Paquier <michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-04-04T18:03:35Z
Lists: pgsql-hackers

Attachments

On Wed, Apr 3, 2024 at 3:27 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> The patch will also need to be adjusted to work with LibreSSL, but I know Jacob
> was looking into that so ideally we should have something to review before
> the weekend.

v3 does that by putting back checks for symbols that aren't part of
LibreSSL (tested back to 2.7, which is where the 1.1.x APIs started to
arrive). It also makes adjustments for the new OPENSSL_API_COMPAT
version, getting rid of OpenSSL_add_all_algorithms() and adding a
missing header.

This patch has a deficiency where 1.1.0 itself isn't actually rejected
at configure time; Daniel's working on an explicit check for the
OPENSSL/LIBRESSL_VERSION_NUMBER that should fix that up. There's an
open question about which version we should pin for LibreSSL, which
should ultimately come down to which versions of OpenBSD we want PG17
to support.

Thanks,
--Jacob

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Remove obsolete unconstify()

  2. Only perform pg_strong_random init when required

  3. Remove support for OpenSSL older than 1.1.0

  4. Support SSL_R_VERSION_TOO_LOW when using LibreSSL

  5. Support disallowing SSL renegotiation when using LibreSSL

  6. Doc: Use past tense for things which happened in the past

  7. Remove support for OpenSSL 1.0.1

  8. Remove support for OpenSSL 0.9.8 and 1.0.0