Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uCWU9-00GGOa-Rn for pgsql-hackers@arkaria.postgresql.org; Wed, 07 May 2025 04:34:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uCWU8-00BWdb-2Q for pgsql-hackers@arkaria.postgresql.org; Wed, 07 May 2025 04:34:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uCWU7-00BWdT-PE for pgsql-hackers@lists.postgresql.org; Wed, 07 May 2025 04:34:19 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uCWU4-000ZCu-2g for pgsql-hackers@postgresql.org; Wed, 07 May 2025 04:34:19 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 5474YCEm3248137; Wed, 7 May 2025 00:34:12 -0400 From: Tom Lane To: Thomas Munro cc: Andrew Dunstan , PostgreSQL-development , Jacob Champion Subject: Re: disabled SSL log_like tests In-reply-to: References: <984fca80-85a8-4c6f-a5cc-bb860950b435@dunslane.net> <2199758.1744901785@sss.pgh.pa.us> <1ce11d3f-624c-4003-a032-1b10cc138305@dunslane.net> <2814408.1745005558@sss.pgh.pa.us> <2859105.1745015195@sss.pgh.pa.us> <1120735.1745350422@sss.pgh.pa.us> <3058990.1746485124@sss.pgh.pa.us> <3227092.1746580691@sss.pgh.pa.us> Comments: In-reply-to Thomas Munro message dated "Wed, 07 May 2025 15:52:22 +1200" MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <3248135.1746592452.1@sss.pgh.pa.us> Content-Transfer-Encoding: 8bit Date: Wed, 07 May 2025 00:34:12 -0400 Message-ID: <3248136.1746592452@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Thomas Munro writes: > On Wed, May 7, 2025 at 1:18 PM Tom Lane wrote: >> Anyone know anything about where to submit LibreSSL bugs? > I think it's done with sendbug on an OpenBSD box, or perhaps you can > just write a normal email to the bugs@openbsd.org or > libressl@openbsd.org list, based on: > https://www.openbsd.org/mail.html Thanks, I'll look into reporting it tomorrow. In the meantime, I couldn't help noticing that the backtraces went through lib/libssl/tls13_legacy.c, which doesn't give a warm feeling about how supported they think our usage is (and perhaps also explains why they didn't detect this bug themselves). This is evidently because we set up the SSL context with SSLv23_method(), per this comment in be_tls_init(): * We use SSLv23_method() because it can negotiate use of the highest * mutually supported protocol version, while alternatives like * TLSv1_2_method() permit only one specific version. Note that we don't * actually allow SSL v2 or v3, only TLS protocols (see below). This choice seems to be more than 20 years old, though the above comment defending it dates only to 2014. I wonder if it's time to revisit that idea. regards, tom lane