public inbox for [email protected]  
help / color / mirror / Atom feed
From: Tom Lane <[email protected]>
To: Thomas Munro <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Cc: Jacob Champion <[email protected]>
Subject: Re: disabled SSL log_like tests
Date: Wed, 07 May 2025 00:34:12 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+hUKGJkUJAwckjBr-=B9oUdDgjSEH+3njd__OnPoPuAtze3Qg@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CA+hUKG+fLqyweHqFSBcErueUVT0vDuSNWui-ySz3+d_APmq7dw@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CA+hUKGJkUJAwckjBr-=B9oUdDgjSEH+3njd__OnPoPuAtze3Qg@mail.gmail.com>

Thomas Munro <[email protected]> writes:
> On Wed, May 7, 2025 at 1:18 PM Tom Lane <[email protected]> wrote:
>> Anyone know anything about where to submit LibreSSL bugs?

> I think it's done with sendbug on an OpenBSD box, or perhaps you can
> just write a normal email to the [email protected] or
> [email protected] list, based on:
> https://www.openbsd.org/mail.html

Thanks, I'll look into reporting it tomorrow.  In the meantime,
I couldn't help noticing that the backtraces went through
lib/libssl/tls13_legacy.c, which doesn't give a warm feeling
about how supported they think our usage is (and perhaps also
explains why they didn't detect this bug themselves).  This is
evidently because we set up the SSL context with SSLv23_method(),
per this comment in be_tls_init():

     * We use SSLv23_method() because it can negotiate use of the highest
     * mutually supported protocol version, while alternatives like
     * TLSv1_2_method() permit only one specific version.  Note that we don't
     * actually allow SSL v2 or v3, only TLS protocols (see below).

This choice seems to be more than 20 years old, though the above
comment defending it dates only to 2014.  I wonder if it's time to
revisit that idea.

			regards, tom lane





view thread (30+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: disabled SSL log_like tests
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox