Re: Update minimum SSL version

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Michael Paquier <michael(at)paquier(dot)xyz>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Update minimum SSL version
Date: 2019-12-02 14:59:44
Message-ID: 29069.1575298784@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> On 30 Nov 2019, at 03:43, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>> The buildfarm logs don't directly report the version of OpenSSL used
>> as far as I recalled, and a quick lookup shows that..

> Not explicitly, but it would be a nice if it did. Since the version depends on
> the optional FIPS module, running "openssl version" is really the safe option,
> which in itself is hard since the libraries pointed to with --with-libs aren't
> guaranteed to have an openssl command installed etc. OpenSSL might also these
> days be LibreSSL (or potentially even BoringSSL perhaps if someone twists the
> arm of their installation enough).

Yeah, I do not think that would be a good solution --- it would give wrong
answers on three of my four buildfarm animals :-(, for precisely the
reason that they're using --with-libs to point to a non-system openssl
installation.

Is there a simple way to ask the library itself for version info?
It might be worth the cycles to have configure run a small test
program to extract and print that data (not on cross-compile
builds, of course).

> (the careful observer notes that the SSL_clear_options() check fails even
> though it should be in 1.0.2, and thats probably because SSL_clear_options is a
> macro until 1.1.0 where it becomes a function).

Hmm, is it worth the trouble to fix that?

> gaur however looks like it is running 0.9.8:

gaur and prairiedog are both building with 0.9.8x, as you can tell
from their --with-libs options.

> Randomly picking animals, and trying to target platforms where older versions
> could be expected, I didn't see any <= 0.9.7; a small number 0.9.8 and most at
> 1.0.2 or higher (with the 0.9.8 animals being: gaur, sungazer and prairiedog).

According to the commit log (see 593d4e47d), we require 0.9.8 or later
in v10 and up, so any older animals got upgraded or retired some time
ago.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2019-12-02 15:08:51 Re: Undo logs
Previous Message Tom Lane 2019-12-02 14:41:43 Re: Bogus EXPLAIN results with column aliases for mismatched partitions