Re: PQinitSSL broken in some use casesf

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Andrew Chernow <ac(at)esilo(dot)com>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PQinitSSL broken in some use casesf
Date: 2009-02-10 14:32:50
Message-ID: 49919012.9040207@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andrew Chernow wrote:
> Bruce Momjian wrote:
>> Andrew Chernow wrote:
>>> I am using a library that links with and initializes libcrypto (ie.
>>> CRYPTO_set_locking_callback) but not SSL. This causes problems even
>>> when using PQinitSSL(FALSE) because things like SSL_library_init();
>>> are not called (unless I manually call them, copy and paste code from
>>> fe-secure.c which may change). If libpq does init ssl, it overwrites
>>> (and breaks) the other library's crypto.
>>>
>>> Shouldn't crypto and ssl init be treated as two different things? If
>>> not, how does one determine a version portable way of initializing
>>> SSL in a manner required by libpq? Lots of apps using encryption but
>>> don't necessarily use ssl, so they need to know how to init ssl for
>>> libpq.
>>
>> I didn't realize they were could be initialized separately, so we really
>> don't have an answer for you. This is the first time I have heard of
>> this requirement.
>>
>
> Just bringing it to everyones attention. I have no idea how common this
> use case is or if it deserves a patch. From your comments, it sounds
> uncommon.
>
> How we came across this:
> We have an internal library that links with libcrypto.so but not
> libssl.so. The library uses digests and ciphers from libcrypto. It
> initializes libcrypto for thread safety and seeds the PRNG. So, one of
> our applications is linking with both libpq and this library; which
> caused the conflict.
>
> How we worked around it:
> We solved it by copying the SSL init sequence from fe-secure.c. Doesn't
> seem like something that would change very often. So we
> init_our_library(), PQinitSSL(0) and then do a few lines of SSL init stuff.

Seems unusual, but certainly not "nearly impossible". But we're back to
the discussions around the WSA code - our API provides no really good
place to do this, so perhaps we should just clearly document how it's
done and how to work around it?

//Magnus

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Gupta 2009-02-10 15:02:07 Re: Table Partitioning Feature
Previous Message Bernd Helmle 2009-02-10 14:17:44 HotStandby-Patch and WAL_DEBUG