Re: Retire support for OpenSSL 1.1.1 due to raised API requirements

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-09-09T22:53:07Z
Lists: pgsql-hackers
On Mon, Sep 09, 2024 at 11:29:09PM +0200, Daniel Gustafsson wrote:
> Agreed.  OpenSSL 1.1.1 is very different story and I suspect we'll be stuck on
> that level for some time, but 1.1.0 is gone from production use.

The cleanup induced by the removal of 1.1.0 is minimal.  I'm on board
about your argument with SSL_CTX_set_ciphersuites() to drop 1.1.0 and
simplify the other feature.

I was wondering about HAVE_SSL_CTX_SET_NUM_TICKETS for a few seconds,
but morepork that relies on LibreSSL 3.3.2 disagrees with me.
--
Michael

Commits

  1. Raise the minimum supported OpenSSL version to 1.1.1

  2. Remove support for OpenSSL older than 1.1.0