Re: OpenSSL 1.1 breaks configure and more
Andreas Karlsson <andreas@proxel.se>
From: Andreas Karlsson <andreas@proxel.se>
To: Christoph Berg <myon@debian.org>, Tom Lane <tgl@sss.pgh.pa.us>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2016-07-02T00:02:48Z
Lists: pgsql-hackers
Attachments
- 0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch (text/x-patch)
On 07/01/2016 11:41 AM, Christoph Berg wrote: > thanks for the patches. I applied all there patches on top of HEAD > (10c0558f). The server builds and passes "make check", pgcrypto still > needs work, though: Thanks, I had forgotten pgcrypto. When fixing pgcrypto I noticed that the OpenSSL team has deprecated RAND_pseudo_bytes() and recommend using RAND_bytes() instead (see 302d38e3f73d5fd2ba2fd30bb7798778cb9f18dd). As far as I can tell the only difference is that RAND_bytes() adds an error to the error queue if there is not enough entropy for generating secure data. And since we already always use strong random with the Fortuna algorithm, why not just drop px_get_pseudo_random_bytes()? It feels like a potential security problem with to me unclear benefit. I also found that client CA loading is broken in OpenSSL 1.1-pre5 (reported as https://github.com/openssl/openssl/pull/1279). This might be good to be aware of when testing my patches. Attached a new set of patches: 0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch The fixes necessary to build with OpenSSL 1.1. Mostly fixes surrounding direct access to struct fields. 0002-Remove-OpenSSL-1.1-deprecation-warnings-v2.patch Fix deprecation warnings. Mostly trusting OpenSSL 1.1 to handle threading and initialization automatically. 0003-Remove-px_get_pseudo_random_bytes-v2.patch Remove the px_get_pseudo_random_bytes() from pgcrypto. Also silcences deprecation warning about RAND_pseudo_bytes(). 0004-Define-CRYPTO_LOCK-for-OpenSSL-1.1-compat-v2.patch Useful if you want to play around with 0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch before they release a new version where CRYPTO_LOCK is added back. See https://github.com/openssl/openssl/issues/1260 Andreas
Commits
-
Back-patch 9.4-era SSL renegotiation code into 9.3 and 9.2.
- fbfeceb25362 9.3.17 landed
- 58384149bdbd 9.2.21 landed