From: | Andres Freund <andres(at)anarazel(dot)de> |
---|---|
To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Use EVP API pgcrypto encryption, dropping support for OpenSSL 0.9.6 and older |
Date: | 2015-10-05 15:28:48 |
Message-ID: | 20151005152848.GE26492@awork2.anarazel.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2015-10-05 12:16:05 -0300, Alvaro Herrera wrote:
> Heikki Linnakangas wrote:
>
> > In short, pgcrypto actually used to use the EVP functions, but was changed
> > to *not* use them, because in older versions of OpenSSL, some key lengths
> > and/or padding options that pgcrypto supports were not supported by the EVP
> > API. That was fixed in OpenSSL 0.9.7, however. The consensus in 2007 was
> > that we could drop support for OpenSSL 0.9.6 and below, so that should
> > definitely be OK by now, if we haven't already done that elsewhere in the
> > code.
>
> I think we already effectively dropped support for < 0.9.7 with the
> renegotiation fixes; see
> https://www.postgresql.org/message-id/20130712203252.GH29206%40eldon.alvh.no-ip.org
9.5+ do again then :P
But more seriously: Given the upstream support policies from
https://www.openssl.org/policies/releasestrat.html :
"
Support for version 0.9.8 will cease on 2015-12-31. No further releases of 0.9.8 will be made after that date. Security fixes only will be applied to 0.9.8 until then.
Support for version 1.0.0 will cease on 2015-12-31. No further releases of 1.0.0 will be made after that date. Security fixes only will be applied to 1.0.0 until then.
We may designate a release as a Long Term Support (LTS) release. LTS
releases will be supported for at least five years and we will specify
one at least every four years. Non-LTS releases will be supported for at
least two years.
"
and the amount of security fixes regularly required for openssl, I don't
think we'd do anybody a favor by trying to continue supporting older
versions for a long while.
Note that openssl's security releases are denoted by a letter after the
numeric version, not by the last digit. 0.9.7 was released 30 Dec 2002.
Greetings,
Andres Freund
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2015-10-05 15:33:28 | Re: No Issue Tracker - Say it Ain't So!] |
Previous Message | Andrew Dunstan | 2015-10-05 15:27:40 | Re: Less than ideal error reporting in pg_stat_statements |