Re: OpenSSL 3.0.0 compatibility
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-11-30T13:05:21Z
Lists: pgsql-hackers
> On 26 Nov 2020, at 09:08, Michael Paquier <michael@paquier.xyz> wrote: > > On Tue, Sep 29, 2020 at 12:25:05PM +0200, Daniel Gustafsson wrote: >> The attached adds config loading to pgcrypto for < 1.1.0 and a doc notice for >> enabling the legacy provider in 3.0.0. This will require an alternative output >> file for non-legacy configs, but that should wait until 3.0.0 is GA since the >> returned error messages have changed over course of development and may not be >> set in stone just yet. > > FWIW, testing with 3.0.0-alpha9 dev (2d84089), I can see that the > error we have in our SSL tests when using a wrong password in the > private PEM key leads now to "PEM lib" instead of "bad decrypt". > > Upthread, we had "nested asn1 error": > https://www.postgresql.org/message-id/9CE70AF4-E1A0-4D24-86FA-4C3067077897@yesql.se > It looks like not everything is sorted out there yet. > > pgcrypto is also throwing new errors. Daniel, what if we let this > patch aside until upstream has sorted out their stuff? Well, the patch as it stands isn't changing any expected output at all, and only adds a docs notice for OpenSSL 3.0.0 conformance. The gist of the patch is to ensure that all supported versions of OpenSSL are initialized equally as currently < 1.1.0 are bypassing the local openssl config, where 1.1.0+ isn't. So I still think this patch is worth considering. Regarding test output: it's clear that we'll need to revisit this as the dust settles on OpenSSL 3.0.0, but as you say there is no use in doing anything until it has. According to their tracker they are, at this time of writing, 64% complete on the milestone to reach beta readiness [0] (which I believe started counting on alpha7). cheers ./daniel [0] https://github.com/openssl/openssl/milestone/17
Commits
-
Define OPENSSL_API_COMPAT
- 96f96398d398 11.21 landed
- 265c9138da58 12.16 landed
- 8aa9a26236aa 13.12 landed
- 4d3db13621be 14.0 landed
-
Add alternative output for OpenSSL 3 without legacy loaded
- eb643536b9f1 10.19 landed
- 8e7199453bf9 13.5 landed
- 7b6ce36fbab5 12.9 landed
- 6d0001aabf2a 14.0 landed
- 19e91a40bf26 11.14 landed
- 72bbff4cd6ea 15.0 landed
-
Disable OpenSSL EVP digest padding in pgcrypto
- e802b594e794 10.19 landed
- 4fa2b15e1c9c 14.0 landed
- 135d8687adf1 13.5 landed
- 11901cd9628b 11.14 landed
- 00c72da4a22d 12.9 landed
- 318df8023559 15.0 landed
-
pgcrypto: Check for error return of px_cipher_decrypt()
- a69e1506f618 13.5 landed
- 90cfd269f226 12.9 landed
- 841075a65cdc 10.19 landed
- 0f28d267c7e0 11.14 landed
- 22e1943f13b6 14.0 landed
-
OpenSSL 3.0.0 compatibility in tests
- f0d2c65f17ca 13.0 landed
-
Make ssl certificate for ssl_passphrase_callback test via Makefile
- b846091fd0a7 13.0 landed
-
Provide a TLS init hook
- 896fcdb230e7 13.0 cited