Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wDMqG-002tS6-28 for pgsql-hackers@arkaria.postgresql.org; Thu, 16 Apr 2026 13:33:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wDMqD-005eNU-1x for pgsql-hackers@arkaria.postgresql.org; Thu, 16 Apr 2026 13:33:09 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wDMqD-005eNL-0s for pgsql-hackers@lists.postgresql.org; Thu, 16 Apr 2026 13:33:09 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wDMqB-00000001PSs-0M8v for pgsql-hackers@lists.postgresql.org; Thu, 16 Apr 2026 13:33:08 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 4C7605A4AFE for ; Thu, 16 Apr 2026 15:33:05 +0200 (CEST) Received: from s980.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 385795A6359 for ; Thu, 16 Apr 2026 15:33:05 +0200 (CEST) Received: from localhost (unknown [172.22.191.6]) by s980.loopia.se (Postfix) with ESMTP id 35B74220160B for ; Thu, 16 Apr 2026 15:33:05 +0200 (CEST) X-Virus-Scanned: amavis at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s474.loopia.se (amavis); dkim=pass (2048-bit key) header.d=yesql.se Received: from s934.loopia.se ([172.22.191.6]) by localhost (s474.loopia.se [172.22.190.14]) (amavis, port 10024) with LMTP id iZvD1u68kspO for ; Thu, 16 Apr 2026 15:33:04 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.236 Received: from smtpclient.apple (customer-89-255-232-236.stosn.net [89.255.232.236]) (Authenticated sender: daniel@yesql.se) by s934.loopia.se (Postfix) with ESMTPSA id A0D85917F0C for ; Thu, 16 Apr 2026 15:33:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1776346384; bh=7F7P7g01PXLS9+D11+MRSywPuasHZTQyu0PTx0ZeOvQ=; h=From:Subject:Date:To; b=GKRkyWR7BxjB5yJ4DxVuSWRxKnE0MgmPl5mSuSXsn4LixwTvXZu7iiDF1YgdgngqB HEcm68nnC3ReY6OwvS6iQrzqd6JCQ3tP2At5IZ6pfv3sBQfbSbjANt3fhWLMswMpKY kMeG0h8kwxw7hQQFs5vD1Qj4LuktlTUs6i3USFalG1ubHs90WXw3dbCNkx8sIQlHxZ U3g9hYN1qQLgSLUIbjh/Mnq5bOQna8Uy841dW5Bb/0GugNTFSad6Ol8lJ7RTCpMprh /xjgPj5eNiF2uCa6Ky1lKw7Vu9OOBw49iQ51WyqmIpDBO6Fsxfe3l6tHSOZ3EGz8On 2JmS1QpZV5KWw== From: Daniel Gustafsson Content-Type: multipart/mixed; boundary="Apple-Mail=_31018FB0-6F77-4F97-B12D-F62FD1AE74B6" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\)) Subject: PostgreSQL and OpenSSL 4.0.0 Message-Id: <066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se> Date: Thu, 16 Apr 2026 15:32:54 +0200 To: PostgreSQL-development X-Mailer: Apple Mail (2.3776.700.51.11.2) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --Apple-Mail=_31018FB0-6F77-4F97-B12D-F62FD1AE74B6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii With OpenSSL 4.0.0 shipping GA a few days ago I tried compiling = PostgreSQL against it and run the tests. Unsurpisingly the test pass just fine and = it compiles without error since they aren't removing any API's we use (they = are deprecating more APIs we use, more on that in later threads). There are however a number of warnings since they changed constness on a number of = API's. Sadly, just adopting const cause similar warnings on OpenSSL 1.1.1 and = LibreSSL so we need to do uglier tricks with casting away constness. The attached patch, while not pretty, allows libpq and sslinfo to build = without warnings on OpenSSL 1.1.1 through 4.0.0 as well as on LibreSSL (and = there is quite some variability in constness across all these API versions). -- Daniel Gustafsson --Apple-Mail=_31018FB0-6F77-4F97-B12D-F62FD1AE74B6 Content-Disposition: attachment; filename=0001-ssl-Declare-variables-const-as-per-OpenSSL-4-API-upd.patch Content-Type: application/octet-stream; x-unix-mode=0644; name="0001-ssl-Declare-variables-const-as-per-OpenSSL-4-API-upd.patch" Content-Transfer-Encoding: quoted-printable =46rom=208c878a8c98816bd47c6e7f39e86f5e477fc230ec=20Mon=20Sep=2017=20= 00:00:00=202001=0AFrom:=20Daniel=20Gustafsson=20= =0ADate:=20Thu,=2016=20Apr=202026=2015:20:13=20= +0200=0ASubject:=20[PATCH]=20ssl:=20Declare=20variables=20const=20as=20= per=20OpenSSL=204=20API=20updates=0A=0AOpenSSL=204.0.0=20changed=20some=20= parameters=20and=20return=20values=20to=20const,=0Aupdate=20our=20= declarations=20and=20subsequently=20cast=20away=20constness=20from=0Aa=20= few=20callsites=20to=20make=20libpq=20build=20without=20warnings=20with=20= OpenSSL=0A1.1.1=20through=204.0.0.=20=20as=20well=20as=20LibreSSL.=0A---=0A= =20contrib/sslinfo/sslinfo.c=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20|=2020=20++++++++++----------=0A=20= src/backend/libpq/be-secure-openssl.c=20=20=20=20|=2014=20+++++++-------=0A= =20src/interfaces/libpq/fe-secure-openssl.c=20|=20=209=20+++++----=0A=20= 3=20files=20changed,=2022=20insertions(+),=2021=20deletions(-)=0A=0Adiff=20= --git=20a/contrib/sslinfo/sslinfo.c=20b/contrib/sslinfo/sslinfo.c=0A= index=202b9eb90b093..c4ae847880d=20100644=0A---=20= a/contrib/sslinfo/sslinfo.c=0A+++=20b/contrib/sslinfo/sslinfo.c=0A@@=20= -24,8=20+24,8=20@@=20PG_MODULE_MAGIC_EXT(=0A=20=09=09=09=09=09.version=20= =3D=20PG_VERSION=0A=20);=0A=20=0A-static=20Datum=20= X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName);=0A= -static=20Datum=20ASN1_STRING_to_text(ASN1_STRING=20*str);=0A+static=20= Datum=20X509_NAME_field_to_text(const=20X509_NAME=20*name,=20text=20= *fieldName);=0A+static=20Datum=20ASN1_STRING_to_text(const=20ASN1_STRING=20= *str);=0A=20=0A=20/*=0A=20=20*=20Function=20context=20for=20data=20= persisting=20over=20repeated=20calls.=0A@@=20-148,7=20+148,7=20@@=20= ssl_client_serial(PG_FUNCTION_ARGS)=0A=20=20*=20function.=0A=20=20*/=0A=20= static=20Datum=0A-ASN1_STRING_to_text(ASN1_STRING=20*str)=0A= +ASN1_STRING_to_text(const=20ASN1_STRING=20*str)=0A=20{=0A=20=09BIO=09=09= =20=20=20*membuf;=0A=20=09size_t=09=09size;=0A@@=20-194,12=20+194,12=20= @@=20ASN1_STRING_to_text(ASN1_STRING=20*str)=0A=20=20*=20part=20of=20= name=0A=20=20*/=0A=20static=20Datum=0A-X509_NAME_field_to_text(X509_NAME=20= *name,=20text=20*fieldName)=0A+X509_NAME_field_to_text(const=20X509_NAME=20= *name,=20text=20*fieldName)=0A=20{=0A=20=09char=09=20=20=20= *string_fieldname;=0A=20=09int=09=09=09nid,=0A=20=09=09=09=09index;=0A-=09= ASN1_STRING=20*data;=0A+=09const=20ASN1_STRING=20*data;=0A=20=0A=20=09= string_fieldname=20=3D=20text_to_cstring(fieldName);=0A=20=09nid=20=3D=20= OBJ_txt2nid(string_fieldname);=0A@@=20-209,7=20+209,7=20@@=20= X509_NAME_field_to_text(X509_NAME=20*name,=20text=20*fieldName)=0A=20=09=09= =09=09=20errmsg("invalid=20X.509=20field=20name:=20\"%s\"",=0A=20=09=09=09= =09=09=09string_fieldname)));=0A=20=09pfree(string_fieldname);=0A-=09= index=20=3D=20X509_NAME_get_index_by_NID(name,=20nid,=20-1);=0A+=09index=20= =3D=20X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20name),=20= nid,=20-1);=0A=20=09if=20(index=20<=200)=0A=20=09=09return=20(Datum)=20= 0;=0A=20=09data=20=3D=20= X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,=20index));=0A@@=20= -421,8=20+421,8=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09= HeapTuple=09tuple;=0A=20=09=09Datum=09=09result;=0A=20=09=09BIO=09=09=20=20= =20*membuf;=0A-=09=09X509_EXTENSION=20*ext;=0A-=09=09ASN1_OBJECT=20*obj;=0A= +=09=09const=20X509_EXTENSION=20*ext;=0A+=09=09const=20ASN1_OBJECT=20= *obj;=0A=20=09=09int=09=09=09nid;=0A=20=09=09int=09=09=09len;=0A=20=0A@@=20= -435,7=20+435,7=20@@=20ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=0A=20=09= =09/*=20Get=20the=20extension=20from=20the=20certificate=20*/=0A=20=09=09= ext=20=3D=20X509_get_ext(cert,=20call_cntr);=0A-=09=09obj=20=3D=20= X509_EXTENSION_get_object(ext);=0A+=09=09obj=20=3D=20= X509_EXTENSION_get_object(unconstify(X509_EXTENSION=20*,=20ext));=0A=20=0A= =20=09=09/*=20Get=20the=20extension=20name=20*/=0A=20=09=09nid=20=3D=20= OBJ_obj2nid(obj);=0A@@=20-448,7=20+448,7=20@@=20= ssl_extension_info(PG_FUNCTION_ARGS)=0A=20=09=09nulls[0]=20=3D=20false;=0A= =20=0A=20=09=09/*=20Get=20the=20extension=20value=20*/=0A-=09=09if=20= (X509V3_EXT_print(membuf,=20ext,=200,=200)=20<=3D=200)=0A+=09=09if=20= (X509V3_EXT_print(membuf,=20unconstify(X509_EXTENSION=20*,=20ext),=200,=20= 0)=20<=3D=200)=0A=20=09=09=09ereport(ERROR,=0A=20=09=09=09=09=09= (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),=0A=20=09=09=09=09=09=20= errmsg("could=20not=20print=20extension=20value=20in=20certificate=20at=20= position=20%d",=0Adiff=20--git=20a/src/backend/libpq/be-secure-openssl.c=20= b/src/backend/libpq/be-secure-openssl.c=0Aindex=20= a3e222f3a3d..3bf96022e1b=20100644=0A---=20= a/src/backend/libpq/be-secure-openssl.c=0A+++=20= b/src/backend/libpq/be-secure-openssl.c=0A@@=20-106,7=20+106,7=20@@=20= static=20void=20host_context_cleanup_cb(void=20*arg);=0A=20static=20int=09= sni_clienthello_cb(SSL=20*ssl,=20int=20*al,=20void=20*arg);=0A=20#endif=0A= =20=0A-static=20char=20*X509_NAME_to_cstring(X509_NAME=20*name);=0A= +static=20char=20*X509_NAME_to_cstring(const=20X509_NAME=20*name);=0A=20=0A= =20static=20SSL_CTX=20*SSL_context=20=3D=20NULL;=0A=20static=20= MemoryContext=20SSL_hosts_memcxt=20=3D=20NULL;=0A@@=20-1071,18=20= +1071,18=20@@=20aloop:=0A=20=09if=20(port->peer=20!=3D=20NULL)=0A=20=09{=0A= =20=09=09int=09=09=09len;=0A-=09=09X509_NAME=20=20*x509name=20=3D=20= X509_get_subject_name(port->peer);=0A+=09=09const=20X509_NAME=20= *x509name=20=3D=20X509_get_subject_name(port->peer);=0A=20=09=09char=09=20= =20=20*peer_dn;=0A=20=09=09BIO=09=09=20=20=20*bio=20=3D=20NULL;=0A=20=09=09= BUF_MEM=20=20=20=20*bio_buf=20=3D=20NULL;=0A=20=0A-=09=09len=20=3D=20= X509_NAME_get_text_by_NID(x509name,=20NID_commonName,=20NULL,=200);=0A+=09= =09len=20=3D=20X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20= x509name),=20NID_commonName,=20NULL,=200);=0A=20=09=09if=20(len=20!=3D=20= -1)=0A=20=09=09{=0A=20=09=09=09char=09=20=20=20*peer_cn;=0A=20=0A=20=09=09= =09peer_cn=20=3D=20MemoryContextAlloc(TopMemoryContext,=20len=20+=201);=0A= -=09=09=09r=20=3D=20X509_NAME_get_text_by_NID(x509name,=20= NID_commonName,=20peer_cn,=0A+=09=09=09r=20=3D=20= X509_NAME_get_text_by_NID(unconstify(X509_NAME=20*,=20x509name),=20= NID_commonName,=20peer_cn,=0A=20=09=09=09=09=09=09=09=09=09=09=20=20len=20= +=201);=0A=20=09=09=09peer_cn[len]=20=3D=20'\0';=0A=20=09=09=09if=20(r=20= !=3D=20len)=0A@@=20-2333,14=20+2333,14=20@@=20= be_tls_get_certificate_hash(Port=20*port,=20size_t=20*len)=0A=20=20*=0A=20= =20*/=0A=20static=20char=20*=0A-X509_NAME_to_cstring(X509_NAME=20*name)=0A= +X509_NAME_to_cstring(const=20X509_NAME=20*name)=0A=20{=0A=20=09BIO=09=09= =20=20=20*membuf=20=3D=20BIO_new(BIO_s_mem());=0A=20=09int=09=09=09i,=0A=20= =09=09=09=09nid,=0A=20=09=09=09=09count=20=3D=20= X509_NAME_entry_count(name);=0A-=09X509_NAME_ENTRY=20*e;=0A-=09= ASN1_STRING=20*v;=0A+=09const=20X509_NAME_ENTRY=20*e;=0A+=09const=20= ASN1_STRING=20*v;=0A=20=09const=20char=20*field_name;=0A=20=09size_t=09=09= size;=0A=20=09char=09=09nullterm;=0Adiff=20--git=20= a/src/interfaces/libpq/fe-secure-openssl.c=20= b/src/interfaces/libpq/fe-secure-openssl.c=0Aindex=20= fbd3c63fb5d..6b44eeb68eb=20100644=0A---=20= a/src/interfaces/libpq/fe-secure-openssl.c=0A+++=20= b/src/interfaces/libpq/fe-secure-openssl.c=0A@@=20-67,7=20+67,7=20@@=0A=20= =0A=20static=20int=09verify_cb(int=20ok,=20X509_STORE_CTX=20*ctx);=0A=20= static=20int=09openssl_verify_peer_name_matches_certificate_name(PGconn=20= *conn,=0A-=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20ASN1_STRING=20= *name_entry,=0A+=09=09=09=09=09=09=09=09=09=09=09=09=09=09=09=20=20const=20= ASN1_STRING=20*name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=09=09= =09=20=20char=20**store_name);=0A=20static=20int=09= openssl_verify_peer_name_matches_certificate_ip(PGconn=20*conn,=0A=20=09=09= =09=09=09=09=09=09=09=09=09=09=09=09=09ASN1_OCTET_STRING=20*addr_entry,=0A= @@=20-467,7=20+467,8=20@@=20cert_cb(SSL=20*ssl,=20void=20*arg)=0A=20=20*=20= into=20a=20plain=20C=20string.=0A=20=20*/=0A=20static=20int=0A= -openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=20= ASN1_STRING=20*name_entry,=0A= +openssl_verify_peer_name_matches_certificate_name(PGconn=20*conn,=0A+=09= =09=09=09=09=09=09=09=09=09=09=09=20=20const=20ASN1_STRING=20= *name_entry,=0A=20=09=09=09=09=09=09=09=09=09=09=09=09=20=20char=20= **store_name)=0A=20{=0A=20=09int=09=09=09len;=0A@@=20-650,14=20+651,14=20= @@=20pgtls_verify_peer_name_matches_certificate_guts(PGconn=20*conn,=0A=20= =09=20*/=0A=20=09if=20(check_cn)=0A=20=09{=0A-=09=09X509_NAME=20=20= *subject_name;=0A+=09=09const=20X509_NAME=20*subject_name;=0A=20=0A=20=09= =09subject_name=20=3D=20X509_get_subject_name(conn->peer);=0A=20=09=09if=20= (subject_name=20!=3D=20NULL)=0A=20=09=09{=0A=20=09=09=09int=09=09=09= cn_index;=0A=20=0A-=09=09=09cn_index=20=3D=20= X509_NAME_get_index_by_NID(subject_name,=0A+=09=09=09cn_index=20=3D=20= X509_NAME_get_index_by_NID(unconstify(X509_NAME=20*,=20subject_name),=0A=20= =09=09=09=09=09=09=09=09=09=09=09=09=20=20NID_commonName,=20-1);=0A=20=09= =09=09if=20(cn_index=20>=3D=200)=0A=20=09=09=09{=0A--=20=0A2.39.3=20= (Apple=20Git-146)=0A=0A= --Apple-Mail=_31018FB0-6F77-4F97-B12D-F62FD1AE74B6--