OpenSSL 3.0.0 compatibility
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-05-28T22:16:47Z
Lists: pgsql-hackers
Attachments
- 0002-OpenSSL-3.0.0-compatibility-in-tests.patch (application/octet-stream) patch 0002
- 0001-Compatibility-with-OpenSSL-3.0.0.patch (application/octet-stream) patch 0001
Since OpenSSL is now releasing 3.0.0-alpha versions, I took a look at using it with postgres to see what awaits us. As it is now shipping in releases (with GA planned for Q4), users will probably soon start to test against it so I wanted to be prepared. Regarding the deprecations, we can either set preprocessor directives or use compiler flags to silence the warning and do nothing (for now), or we could update to the new API. We probably want to different things for master vs back-branches, but as an illustration of what the latter could look like I've implemented this in 0001. SSL_CTX_load_verify_locations and X509_STORE_load_locations are deprecated and replaced by individual calls to load files and directories. These are quite straightforward, and are implemented like how we handle the TLS protocol API. DH_check has been discouraged to use for quite some time, and is now marked deprecated without a 1:1 replacement. The OpenSSL docs recommends using the EVP API, which is also done in 0001. For now I just stuck it in with version gated ifdefs, something cleaner than that can clearly be done. 0001 is clearly not proposed for review/commit yet, it's included in case someone else is interested as well. OpenSSL also deprecates DES keys in 3.0.0, which cause our password callback tests to fail with the cryptic error "fetch failed", as the test suite keys are encrypted with DES. 0002 fixes this by changing to AES256 (randomly chosen among the ciphers supported in 1.0.1+ and likely to be around), and could be applied already today as there is nothing 3.0.0 specific about it. On top of DES keys there are also a lot of deprecations or low-level functions which breaks pgcrypto in quite a few ways. I haven't tackled these yet, but it looks like we have to do the EVP rewrite there. cheers ./daniel
Commits
-
Define OPENSSL_API_COMPAT
- 96f96398d398 11.21 landed
- 265c9138da58 12.16 landed
- 8aa9a26236aa 13.12 landed
- 4d3db13621be 14.0 landed
-
Add alternative output for OpenSSL 3 without legacy loaded
- eb643536b9f1 10.19 landed
- 8e7199453bf9 13.5 landed
- 7b6ce36fbab5 12.9 landed
- 6d0001aabf2a 14.0 landed
- 19e91a40bf26 11.14 landed
- 72bbff4cd6ea 15.0 landed
-
Disable OpenSSL EVP digest padding in pgcrypto
- e802b594e794 10.19 landed
- 4fa2b15e1c9c 14.0 landed
- 135d8687adf1 13.5 landed
- 11901cd9628b 11.14 landed
- 00c72da4a22d 12.9 landed
- 318df8023559 15.0 landed
-
pgcrypto: Check for error return of px_cipher_decrypt()
- a69e1506f618 13.5 landed
- 90cfd269f226 12.9 landed
- 841075a65cdc 10.19 landed
- 0f28d267c7e0 11.14 landed
- 22e1943f13b6 14.0 landed
-
OpenSSL 3.0.0 compatibility in tests
- f0d2c65f17ca 13.0 landed
-
Make ssl certificate for ssl_passphrase_callback test via Makefile
- b846091fd0a7 13.0 landed
-
Provide a TLS init hook
- 896fcdb230e7 13.0 cited