Re: OpenSSL 1.1 breaks configure and more

From: Andreas Karlsson <andreas(at)proxel(dot)se>
To: Christoph Berg <myon(at)debian(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: OpenSSL 1.1 breaks configure and more
Date: 2016-07-02 00:02:48
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 07/01/2016 11:41 AM, Christoph Berg wrote:
> thanks for the patches. I applied all there patches on top of HEAD
> (10c0558f). The server builds and passes "make check", pgcrypto still
> needs work, though:

Thanks, I had forgotten pgcrypto.

When fixing pgcrypto I noticed that the OpenSSL team has deprecated
RAND_pseudo_bytes() and recommend using RAND_bytes() instead (see

As far as I can tell the only difference is that RAND_bytes() adds an
error to the error queue if there is not enough entropy for generating
secure data. And since we already always use strong random with the
Fortuna algorithm, why not just drop px_get_pseudo_random_bytes()? It
feels like a potential security problem with to me unclear benefit.

I also found that client CA loading is broken in OpenSSL 1.1-pre5
(reported as This might
be good to be aware of when testing my patches.

Attached a new set of patches:


The fixes necessary to build with OpenSSL 1.1. Mostly fixes surrounding
direct access to struct fields.


Fix deprecation warnings. Mostly trusting OpenSSL 1.1 to handle
threading and initialization automatically.


Remove the px_get_pseudo_random_bytes() from pgcrypto. Also silcences
deprecation warning about RAND_pseudo_bytes().


Useful if you want to play around with
0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch before they release a
new version where CRYPTO_LOCK is added back. See


Attachment Content-Type Size
0001-Fixes-for-compiling-with-OpenSSL-1.1-v2.patch text/x-patch 14.5 KB
0002-Remove-OpenSSL-1.1-deprecation-warnings-v2.patch text/x-patch 3.7 KB
0003-Remove-px_get_pseudo_random_bytes-v2.patch text/x-patch 3.7 KB
0004-Define-CRYPTO_LOCK-for-OpenSSL-1.1-compat-v2.patch text/x-patch 824 bytes

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2016-07-02 00:28:46 Re: OpenSSL 1.1 breaks configure and more
Previous Message Karl O. Pinc 2016-07-01 23:56:21 Re: Patch to implement pg_current_logfile() function