Re: OpenSSL 3.0.0 vs old branches

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2023-02-07T12:08:07Z
Lists: pgsql-hackers
On 2023-02-07 Tu 02:18, Peter Eisentraut wrote:
> On 06.02.23 16:56, Andrew Dunstan wrote:
>> I recently moved crake to a new machine running Fedora 36, which has 
>> OpenSSL 3.0.0. This causes the SSL tests to fail on branches earlier 
>> than release 13, so I propose to backpatch commit f0d2c65f17 to the 
>> release 11 and 12 branches.
>
> This is not the only patch that we did to support OpenSSL 3.0.0. There 
> was a very lengthy discussion that resulted in various patches.  
> Unless we have a complete analysis of what was done and how it affects 
> various branches, I would not do this.  Notably, we did actually 
> consider what to backpatch, and the current state is the result of 
> that.  So let's not throw that away without considering that 
> carefully.  Even if it gets it to compile, I personally would not 
> *trust* it without that analysis.  I think we should just leave it 
> alone and consider OpenSSL 3.0.0 unsupported in the branches were it 
> is now unsupported.  OpenSSL 1.1.1 is still supported upstream to 
> serve those releases.


The only thing this commit does is replace a DES encrypted key file with 
one encrypted with AES-256. It doesn't affect compilation at all, and 
shouldn't affect tests run with 1.1.1.

I guess the alternatives are a) disable the SSL tests on branches <= 12 
or b) completely disable building with SSL for branches <= 12. I would 
probably opt for a). I bet this crops up a few more times as OpenSSL 
3.0.0 becomes more widespread, until release 12 goes EOL.


cheers


andrew

--
Andrew Dunstan
EDB:https://www.enterprisedb.com

Commits

  1. Backpatch OpenSSL 3.0.0 compatibility in tests

  2. OpenSSL 3.0.0 compatibility in tests

  3. Remove support for OpenSSL 0.9.8 and 1.0.0