Re: OpenSSL 3.0.0 compatibility

Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Daniel Gustafsson <daniel@yesql.se>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-07-08T16:03:48Z
Lists: pgsql-hackers
On 2020-07-08 16:51, Robert Haas wrote:
> On Tue, Jul 7, 2020 at 1:46 PM Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com> wrote:
>> Trying to move this along, where would be a good place to define
>> OPENSSL_API_COMPAT?  The only place that's shared between frontend and
>> backend code is c.h.  The attached patch does it that way.
> 
> So, if we go this way, does that mean that we're not going to pursue
> removing dependencies on the deprecated interfaces? I wonder if we
> really ought to be doing that too, with preprocessor conditionals.
> Otherwise, aren't we putting ourselves in an uncomfortable situation
> when the deprecated stuff eventually goes away upstream?

I don't think there is a rush.  The 3.0.0 alphas still support 
interfaces deprecated in 0.9.8 (released 2005).  AFAICT, nothing tagged 
under this API compatibility scheme has ever been removed.  If they 
started doing so, they would presumably do it step by step at the tail 
end, which would still give us several steps before it catches up with us.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Commits

  1. Define OPENSSL_API_COMPAT

  2. Add alternative output for OpenSSL 3 without legacy loaded

  3. Disable OpenSSL EVP digest padding in pgcrypto

  4. pgcrypto: Check for error return of px_cipher_decrypt()

  5. OpenSSL 3.0.0 compatibility in tests

  6. Make ssl certificate for ssl_passphrase_callback test via Makefile

  7. Provide a TLS init hook