From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Peter Eisentraut <peter(at)eisentraut(dot)org>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, mikael(dot)kjellstrom(at)gmail(dot)com, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~? |
Date: | 2024-05-01 04:21:32 |
Message-ID: | ZjHDTGKUM_TK1PDn@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Apr 27, 2024 at 08:33:55PM +0200, Daniel Gustafsson wrote:
> > On 27 Apr 2024, at 20:32, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
> > That's a good point, there is potential for more code removal here. The
> > attached 0001 takes a stab at it while it's fresh in mind, I'll revisit before
> > the July CF to see if there is more that can be done.
>
> ..and again with the attachment. Not enough coffee.
My remark was originally about pq_init_crypto_lib that does the
locking initialization, and your new patch a bit more, as of:
- /* This stuff need be done only once. */
- if (!SSL_initialized)
- {
-#ifdef HAVE_OPENSSL_INIT_SSL
- OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#else
- OPENSSL_config(NULL);
- SSL_library_init();
- SSL_load_error_strings();
-#endif
- SSL_initialized = true;
- }
OPENSSL_init_ssl() has replaced SSL_library_init(), marked as
deprecated, and even this step is mentioned as not required anymore
with 1.1.0~:
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html
Same with OPENSSL_init_crypto(), replacing OPENSSL_config(), again not
required in 1.1.0~:
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
SSL_load_error_strings() is recommended as not to use in 1.1.0,
replaced by the others:
https://www.openssl.org/docs/man3.2/man3/SSL_load_error_strings.html
While OpenSSL will be able to cope with that, how much of that applies
to LibreSSL? SSL_load_error_strings(), OPENSSL_init_ssl(),
OPENSSL_CONFIG() are OK based on the docs:
https://man.archlinux.org/man/extra/libressl/libressl-OPENSSL_config.3.en
https://man.archlinux.org/man/extra/libressl/libressl-OPENSSL_init_ssl.3.en
https://man.archlinux.org/man/extra/libressl/libressl-ERR_load_crypto_strings.3.en
So +1 to remove all this code after a closer lookup. I would
recommend to update the documentation of PQinitSSL and PQinitOpenSSL
to tell that these become useless and are deprecated.
ERR_clear_error();
-
#ifdef USE_RESOWNER_FOR_HMAC
Some noise diff.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2024-05-01 06:08:45 | Re: [PATCH] json_lex_string: don't overread on bad UTF8 |
Previous Message | Michael Paquier | 2024-05-01 03:53:31 | Re: partitioning and identity column |