Re: OpenSSL 3.0.0 compatibility

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: OpenSSL 3.0.0 compatibility
Date: 2020-05-31 02:52:15
Message-ID: 20200531025215.GC205907@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sat, May 30, 2020 at 11:29:11AM +0200, Peter Eisentraut wrote:
> I'm not sure. I don't have a good sense of what OpenSSL versions we claim
> to support in branches older than PG13. We made a conscious decision for
> 1.0.1 in PG13, but I seem to recall that that discussion also revealed that
> the version assumptions before that were quite inconsistent. Code in PG12
> and before makes references to OpenSSL as old as 0.9.6. But OpenSSL 3.0.0
> will reject a compat level older than 0.9.8.

593d4e4 claims that we only support OpenSSL >= 0.9.8, meaning that
down to PG 10 we have this requirement, and that PG 9.6 and 9.5 should
be able to work with OpenSSL 0.9.7 and 0.9.6, but little effort has
been put in testing these.

> My proposal would be to introduce OPENSSL_API_COMPAT=10001 into master after
> the 13/14 branching, along with any other changes to make it compile cleanly
> against OpenSSL 3.0.0. Once that has survived some scrutiny from the
> buildfarm and also from folks building against LibreSSL etc., it should
> probably be backpatched into PG13. In the immediate future, I wouldn't
> bother about the older branches (<=PG12) at all. As long as they still
> compile, users can just disable deprecation warnings, and we may add some
> patches to that effect at some point, but it's not like OpenSSL 3.0.0 will
> be adopted into production builds any time soon.

Please note that I actually may have to bother about 12 and OpenSSL
3.0.0 as 1.0.2 deprecation is visibly accelerating a move to newer
versions at least in my close neighborhood. We are not there yet of
course, so doing this work with 14 and 13 sounds fine to me for now.
--
Michael

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2020-05-31 06:54:15 Re: Incorrect comment in be-secure-openssl.c
Previous Message Michael Paquier 2020-05-31 02:34:11 Re: Inlining of couple of functions in pl_exec.c improves performance