Re: OpenSSL 3.0.0 vs old branches

On 2023-02-07 Tu 02:18, Peter Eisentraut wrote:
> On 06.02.23 16:56, Andrew Dunstan wrote:
>> I recently moved crake to a new machine running Fedora 36, which has
>> OpenSSL 3.0.0. This causes the SSL tests to fail on branches earlier
>> than release 13, so I propose to backpatch commit f0d2c65f17 to the
>> release 11 and 12 branches.
>
> This is not the only patch that we did to support OpenSSL 3.0.0. There
> was a very lengthy discussion that resulted in various patches. 
> Unless we have a complete analysis of what was done and how it affects
> various branches, I would not do this.  Notably, we did actually
> consider what to backpatch, and the current state is the result of
> that.  So let's not throw that away without considering that
> carefully.  Even if it gets it to compile, I personally would not
> *trust* it without that analysis.  I think we should just leave it
> alone and consider OpenSSL 3.0.0 unsupported in the branches were it
> is now unsupported.  OpenSSL 1.1.1 is still supported upstream to
> serve those releases.

The only thing this commit does is replace a DES encrypted key file with
one encrypted with AES-256. It doesn't affect compilation at all, and
shouldn't affect tests run with 1.1.1.

I guess the alternatives are a) disable the SSL tests on branches <= 12
or b) completely disable building with SSL for branches <= 12. I would
probably opt for a). I bet this crops up a few more times as OpenSSL
3.0.0 becomes more widespread, until release 12 goes EOL.

cheers

andrew

--
Andrew Dunstan
EDB:https://www.enterprisedb.com