Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uCixw-001OjJ-E4 for pgsql-hackers@arkaria.postgresql.org; Wed, 07 May 2025 17:53:57 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uCixt-00FQto-P3 for pgsql-hackers@arkaria.postgresql.org; Wed, 07 May 2025 17:53:53 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uCixt-00FQtg-B8 for pgsql-hackers@lists.postgresql.org; Wed, 07 May 2025 17:53:53 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uCixq-000faa-1y for pgsql-hackers@postgresql.org; Wed, 07 May 2025 17:53:52 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 8AE0739002F for ; Wed, 07 May 2025 19:53:49 +0200 (CEST) Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 76464391094; Wed, 07 May 2025 19:53:49 +0200 (CEST) Received: from s898.loopia.se (unknown [172.22.191.6]) by s979.loopia.se (Postfix) with ESMTP id 7331B10BC4FE; Wed, 07 May 2025 19:53:49 +0200 (CEST) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s898.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=yesql.se Received: from s934.loopia.se ([172.22.191.5]) by s898.loopia.se (s898.loopia.se [172.22.190.17]) (amavisd-new, port 10024) with LMTP id ANzYGRUZHI4Y; Wed, 7 May 2025 19:53:49 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s934.loopia.se (Postfix) with ESMTPSA id A207F7CEAAF; Wed, 07 May 2025 19:53:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1746640428; bh=e89y2Xb1I2WPiLrYQgUFbdNPrSBY0RNTthXvehbXs2Q=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=EGodl4UaroxSTGQoNdEDcFc7Qm6t49UVat2PMYZ+oENtG8Win7zhCjE6JxBnCY1KD p9QyG68WJYufepMemaPScrBfDDCMIItNDihEAFEouQeGcJTdHOzVSWFbJQm0Hkhudi bX86zOf2wrEYf8z3Qaeh9S2QwWDl1Q/oE1+qJrLORZJQ+WewZAqH9JoD53te8J4LBs VWyOEondwmzpakVNZMAx7Lv+UTFsoW3k/qNlEDSN9qIaNWfnaaXYNOA9st6NtlCkHh BUdPqihWUrYf/sO3zz47YWL0TiqaUKP+4mVJrMsSVlfTkTubtXWGoTJWlx8uP+wo4A BATBTLHn/Pbow== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.1\)) Subject: Re: disabled SSL log_like tests From: Daniel Gustafsson In-Reply-To: <3320404.1746633879@sss.pgh.pa.us> Date: Wed, 7 May 2025 19:53:38 +0200 Cc: Thomas Munro , Andrew Dunstan , PostgreSQL Hackers , Jacob Champion Content-Transfer-Encoding: quoted-printable Message-Id: <8E3E58BF-CC99-4C45-9FB8-3BA83AA6FDC8@yesql.se> References: <984fca80-85a8-4c6f-a5cc-bb860950b435@dunslane.net> <2199758.1744901785@sss.pgh.pa.us> <1ce11d3f-624c-4003-a032-1b10cc138305@dunslane.net> <2814408.1745005558@sss.pgh.pa.us> <2859105.1745015195@sss.pgh.pa.us> <1120735.1745350422@sss.pgh.pa.us> <3058990.1746485124@sss.pgh.pa.us> <3227092.1746580691@sss.pgh.pa.us> <3248136.1746592452@sss.pgh.pa.us> <3004EFB2-8FFA-429A-AC5E-E3F40E002A94@yesql.se> <3320404.1746633879@sss.pgh.pa.us> To: Tom Lane X-Mailer: Apple Mail (2.3776.700.51.11.1) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 7 May 2025, at 18:04, Tom Lane wrote: >=20 > Daniel Gustafsson writes: >>> On 7 May 2025, at 06:34, Tom Lane wrote: >>> I couldn't help noticing that the backtraces went through >>> lib/libssl/tls13_legacy.c, which doesn't give a warm feeling >>> about how supported they think our usage is (and perhaps also >>> explains why they didn't detect this bug themselves). >=20 >> Since we no longer support 1.0.2 we can apply something like the = (lightly >> tested) attached which should be a no-op as we already use = TLS_method() but via >> an alias. >=20 > Yeah, I saw that SSLv23_method() was merely an alias for TLS_method() > in LibreSSL as well. That means unfortunately that your proposal is > just cosmetic and doesn't get us out of using code that they're > calling "legacy". I wonder what it would take to get to the "modern" > code paths. AFAICT (it's not documented what I can see) the Libressl folks consider = code inherited from OpenSSL legacy. Using current OpenSSL API's and moving = away from deprecated API's is probably our best bet. On that note, = TLS_method is the current API to use in both OpenSSL and Libressl according to their respective documentations. A separate be-secure-libressl.c could move to use their libtls instead = of the libssl OpenSSL compatibility library, which may be an interesting = excercise but a very different project from what is discussed here. -- Daniel Gustafsson