Re: PostgreSQL12 and older versions of OpenSSL

On Tue, Sep 24, 2019 at 11:25:30AM -0400, Tom Lane wrote:
> Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> writes:
>> ... I wonder if we should really continue to support
>> OpenSSL 0.9.8.
>
> Fair question, but post-rc1 is no time to be moving that goalpost
> for the v12 branch.

Yeah. I worked in the past with SUSE-based appliances, and I recall
that those folks have been maintaining their own patched version of
OpenSSL 0.9.8 with a bunch of custom patches, some of them coming from
newer versions of upstream to take care of security issues with 0.9.8.
So even if they call their version 0.9.8j, I think that they include
much more security-related fixes than their version string suggests.
I don't know at which extent though.

>> Anyway I suppose it's not impossible that third parties are still
>> maintaining their 1.0.0 branch,
>
> Another data point on that is that Red Hat is still supporting
> 1.0.1e in RHEL6. I don't think we should assume that just because
> OpenSSL upstream has dropped support for a branch, it no longer
> exists in the wild.
>
> Having said that, if it makes our lives noticeably easier to
> drop support for 0.9.8 in HEAD, I won't stand in the way.

Agreed. There is an argument for dropping support for OpenSSL 0.9.8
in 13~, but I don't agree of doing that in 12. Let's just fix the
issue.
--
Michael