Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Peter Eisentraut <peter@eisentraut.org>, Jacob Champion <jacob.champion@enterprisedb.com>, Thomas Munro <thomas.munro@gmail.com>, Postgres hackers <pgsql-hackers@lists.postgresql.org>, mikael.kjellstrom@gmail.com, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2024-04-15T23:03:41Z
Lists: pgsql-hackers
On Mon, Apr 15, 2024 at 11:07:05AM +0200, Daniel Gustafsson wrote: > On 15 Apr 2024, at 07:04, Michael Paquier <michael@paquier.xyz> wrote: >> On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote: >>> Is the attached split in line with how you were thinking about it? >> >> If I may, 0001 looks sensible here. The bits from 0003 and 0004 could >> be applied before 0002, as well. > > Agreed, once we are in post-freeze I think those three are mostly > ready to go. Is there a point to wait for 0001, 0003 and 0004, though, and shouldn't these three be backpatched? 0001 is certainly OK as a doc-only change to be consistent across the board without waiting 5 more years. 0003 and 0004 are conditional and depend on if SSL_R_VERSION_TOO_LOW and SSL_OP_NO_CLIENT_RENEGOTIATION are defined at compile-time. 0003 is much more important, and note that 01e6f1a842f4 has been backpatched all the way down. 0004 is nice, still not strongly mandatory. >> Rather than calling always RAND_poll(), this >> could use a static flag to call it only once when pg_strong_random is >> called for the first time. > > Agreed, we can good that. Fixed. +#if (OPENSSL_VERSION_NUMBER <= 0x10100000L) + static bool rand_initialized = false; This does not look right. At the top of upstream's branch OpenSSL_1_1_0-stable, OPENSSL_VERSION_NUMBER is 0x101000d0L, so the initialization would be missed for any version in the 1.1.0 series except the GA one without this code being compiled, no? >> I would not mind seeing this part entirely >> gone with the removal of support for 1.1.0. > > If we want to keep autoconf from checking versions and just check compatibility > (with our code) then we will remain at 1.1.0 compatibility. The only 1.1.1 API > we use is not present in LibreSSL so we can't really place a hard restriction > on that. It might be that keeping it for now, and removing it later during the > v18 cycle as we modernize our OpenSSL code (which I hope to find time to work > on) and make use of newer 1.1.1 API:s. That way we can keep our autoconf/meson > checks consistent across library checks. If we end up with no new API:s to > check for by the time the last commitfest of v18 rolls around, we can revisit > the decision then. Okay, fine by me. -- Michael
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove obsolete unconstify()
- 1fb2308e698e 18.0 landed
-
Only perform pg_strong_random init when required
- c3333dbc0c0f 18.0 landed
-
Remove support for OpenSSL older than 1.1.0
- a70e01d4306f 18.0 landed
-
Support SSL_R_VERSION_TOO_LOW when using LibreSSL
- d80f2ce29465 17.0 landed
-
Support disallowing SSL renegotiation when using LibreSSL
- 44e27f0a6d07 17.0 landed
-
Doc: Use past tense for things which happened in the past
- 91d6429fad55 17.0 landed
-
Remove support for OpenSSL 1.0.1
- 8e278b657664 17.0 landed
-
Remove support for OpenSSL 0.9.8 and 1.0.0
- 7b283d0e1d1d 13.0 cited