Re: PostgreSQL12 and older versions of OpenSSL

On Tue, Sep 24, 2019 at 10:18:59AM +0300, Victor Wagner wrote:
> PostgreSQL 12 documentation states, that minimum required version of
> OpenSSL is 0.9.8. However, I was unable to сompile current
> PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4).

I can reproduce that with REL_12_STABLE and the top of
OpenSSL_0_9_8-stable fromx OpenSSL's git.

> It is not so. Here is exempt from tls1.h header file from the openssl
> 0.9.8j
>
> #define TLS1_VERSION 0x0301
> #define TLS1_1_VERSION 0x0302
> #define TLS1_2_VERSION 0x0303
> /* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so
> * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above
> * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert()
> * check that would catch the error if TLS_MAX_VERSION was too low.)
> */
> #define TLS_MAX_VERSION TLS1_VERSION

Indeed, we rely currently on a false assumption that the version is
supported if the object is defined. That's clearly wrong.

> Replacing all
>
> #ifdef TLS1_1_VERSION
>
> with
>
> #if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION
>
> and analogue for TLS1_2_VERSION fixes the problem.

That sounds like a plan.

> Really, problem is that symbol SSL_OP_NO_TLSv1_1 (and 1_2 accordingly)
> might be undefined even if TLS1_1_VERSION defined.
>
> Replacing
>
> #ifdef TLS1_1_VERSION
>
> with
>
> #ifdef SSL_OP_NO_TLSv1_1

Hmm. Wouldn't it be better to check if the maximum version of TLS is
supported and if SSL_OP_NO_TLSv1_1 is defined (same for 1.2)?

> But there is third (first from start of file) one.
> ...
> case PG_TLS1_1_VERSION:
> #ifdef TLS1_1_VERSION
> return TLS1_1_VERSION;
> #else
> break;
> #endif
> ...
> (line 1290). In this case check for TLS1_1_VERSION <= TLS_MAX_VERSION
> seems to be more self-explanatory, than check for somewhat unrelated
> symbol SSL_OP_NO_TLSv1_1

That sounds right. Victor, would you like to write a patch?
--
Michael