Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: Michael Paquier <michael@paquier.xyz>,
Jacob Champion <jacob.champion@enterprisedb.com>,
Thomas Munro <thomas.munro@gmail.com>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
mikael.kjellstrom@gmail.com,
Tom Lane <tgl@sss.pgh.pa.us>
Date: 2024-04-18T20:26:33Z
Lists: pgsql-hackers
Attachments
- v10-0001-Doc-Use-past-tense-for-things-which-happened-in-.patch (application/octet-stream) patch v10-0001
- v10-0002-Remove-support-for-OpenSSL-1.0.2.patch (application/octet-stream) patch v10-0002
- v10-0003-Support-disallowing-SSL-renegotiation-in-LibreSS.patch (application/octet-stream) patch v10-0003
- v10-0004-Support-SSL_R_VERSION_TOO_LOW-on-LibreSSL.patch (application/octet-stream) patch v10-0004
- v10-0005-Remove-pg_strong_random-initialization.patch (application/octet-stream) patch v10-0005
> On 18 Apr 2024, at 12:53, Peter Eisentraut <peter@eisentraut.org> wrote: > Review of the latest batch: Thanks for reviewing! > 8 v9-0002-Remove-support-for-OpenSSL-1.0.2.patch > > Ok, but maybe make the punctuation consistent here: Fixed. > * v9-0004-Support-SSL_R_VERSION_TOO_LOW-on-LibreSSL.patch > > Seems ok, but the reason isn't clear to me. Are there LibreSSL versions that have SSL_R_VERSION_TOO_LOW but not SSL_R_VERSION_TOO_HIGH? Maybe this could be explained better. LibreSSL doesn't support SSL_R_VERSION_TOO_HIGH at all, they only support _TOO_LOW starting with the OpenBSD 7.2 release. I've expanded the commit message to document this. > Also, "OpenSSL 7.2" in the commit message probably meant "OpenBSD"? Ah yes, fixed. > * v9-0005-Remove-pg_strong_random-initialization.patch > > I don't understand the reason for this phrase in the commit message: "1.1.1 is being increasingly phased out from production use". Did you mean 1.1.0 there? Correct, I got lost among the version numbers it seems. Fixed. > Conditionally sticking the RAND_poll() into pg_strong_random(), does that have the effect we want? It wouldn't reinitialize after a fork, AFAICT. No I think you're right, my previous version would have worked (but was ugly) but this doesn't guarantee that. Thinking more about it maybe it's best to just keep the init function and have a version check for 1.1.0 there, making it an empty no-op for all other cases. When we move past 1.1.0 due to a new API requirement we can blow it all away. > If everything is addressed, I agree that 0001, 0003, and 0004 can go into PG17, the rest later. Agreed, 0002 and 0005 are clearly for the v18 cycle. -- Daniel Gustafsson
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove obsolete unconstify()
- 1fb2308e698e 18.0 landed
-
Only perform pg_strong_random init when required
- c3333dbc0c0f 18.0 landed
-
Remove support for OpenSSL older than 1.1.0
- a70e01d4306f 18.0 landed
-
Support SSL_R_VERSION_TOO_LOW when using LibreSSL
- d80f2ce29465 17.0 landed
-
Support disallowing SSL renegotiation when using LibreSSL
- 44e27f0a6d07 17.0 landed
-
Doc: Use past tense for things which happened in the past
- 91d6429fad55 17.0 landed
-
Remove support for OpenSSL 1.0.1
- 8e278b657664 17.0 landed
-
Remove support for OpenSSL 0.9.8 and 1.0.0
- 7b283d0e1d1d 13.0 cited