Re: OpenSSL 3.0.0 vs old branches

On Tue, Feb 07, 2023 at 01:28:26PM -0500, Tom Lane wrote:
> I double-checked this on Fedora 37 (openssl 3.0.5). v11 and v12
> do build --with-openssl. There are an annoyingly large number of
> -Wdeprecated-declarations warnings, but those are there in v13 too.
> I confirm that back-patching f0d2c65f17 is required and sufficient
> to make the ssl test pass.

+1. (I am annoyed by that for any backpatch that involves v11 and
v12.)

> I think Peter's misremembering the history, and OpenSSL 3 *is*
> supported in these branches. There could be an argument for
> not back-patching f0d2c65f17 on the grounds that pre-1.1.1 is
> also supported there. On the whole though, it seems more useful
> today for that test to pass with 3.x than for it to pass with 0.9.8.
> And I can't see investing effort to make it do both (but if Peter
> wants to, I won't stand in the way).

Cutting support for 0.9.8 in oldest branches would be a very risky
move, but as you say, if that only involves a failure in the SSL
tests while still allowing anything we have to work, fine by me to
live with that.

Saying that, not being able to test these when working on a
SSL-specific patch adds an extra cost in back-patching. There are not
many of these lately, so that may be OK, still it would mean to apply
a reverse of f0d2c65. If things were to work for all the versions of
OpenSSL supported on 11 and 12, would it mean that the tests need to
store both -des and -aes256 data, having the tests switch from one to
the other depending on the version of OpenSSL built with?
--
Michael