Re: PostgreSQL12 and older versions of OpenSSL

On 2019-Sep-24, Victor Wagner wrote:

> Dear hackers,
>
> PostgreSQL 12 documentation states, that minimum required version of
> OpenSSL is 0.9.8. However, I was unable to сompile current
> PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4).

(Nice branch name.) I wonder if we should really continue to support
OpenSSL 0.9.8. That branch was abandoned by the OpenSSL dev group in
2015 ... and I wouldn't want to assume that there are no security
problems fixed in the meantime. Why shouldn't we drop support for that
going forward, raising our minimum required OpenSSL version to be at
least something in the 1.0 branch?

(I'm not entirely sure about minor version numbers in OpenSSL -- it
seems 1.0.2 is still being maintained, but 1.0.0 itself was also
abandoned in 2016, as was 1.0.1. As far as I understand they use the
alphabetical sequence *after* the three-part version number in the way
we use minor number; so 1.0.1u (2016) is the last there, and 1.0.2t is a
recent one in the maintained branch.

Along the same lines, 0.9.8j was released in Jan 2009. The last in
0.9.8 was 0.9.8zi in December 2015.)

Anyway I suppose it's not impossible that third parties are still
maintaining their 1.0.0 branch, but I doubt anyone cares for 0.9.8 with
Postgres 12 ... particularly since SUSE themselves suggest not to use
the packaged OpenSSL for their stuff but rather stick to NSS. That
said, in 2014 (!!) SUSE released OpenSSL 1.0.1 separately, for use with
SLES 11:
https://www.suse.com/c/introducing-the-suse-linux-enterprise-11-security-module/
Who would use the already obsolete SLES 11 (general support ended in
March 2019, though extended support ends in 2022) with Postgres 12?
That seems insane.

All that being said, I don't oppose to this patch, since it seems a
quick way to get out of the immediate trouble.

--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services