Re: PostgreSQL and OpenSSL 4.0.0

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Daniel Gustafsson <[email protected]>
To: Michael Paquier <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Subject: Re: PostgreSQL and OpenSSL 4.0.0
Date: Tue, 26 May 2026 10:16:40 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

> On 26 May 2026, at 08:02, Michael Paquier <[email protected]> wrote:
> 
> On Tue, May 19, 2026 at 02:18:08PM -0700, Daniel Gustafsson wrote:
>>> On 8 May 2026, at 00:21, Daniel Gustafsson <[email protected]> wrote:
>> 
>>> I think the changes are straightforward enough that we can go ahead with them.
>>> I'll re-test and re-post a new patchset for all branches once the minors ship.
>> 
>> Attached are rebased versions of this patchset for v14-master.
> 
> I have a question here.  Most of the changes relate to the use of const
> where the OpenSSL APIs require these to be so, but why is this a new
> requirement for 4.0?  I can see that for most of the upstream
> routines, the const changes are much older, like in 8cc86b81ac20 for
> X509_NAME_get_text_by_NID() applying down to branch openssl-3.0.

It is very true that OpenSSL has been constifying the API over time, the change
in 4.0 revolves around making more returnvalues const.  In the case at hand,
X509_get_subject_name() now returns a const X509_NAME pointer since commit
b0f2107b4404.  This wouldn't be a problem since X509_NAME_get_text_by_NID()
does as you say take a const parameter, but since we have shoehorned LibreSSL
support into the same file we are tied to the least common denominator and
LibreSSL is far behind OpenSSL on constifying.  So in this case, we need to
unconstify() to keep LibreSSL compiling.

I have plans for fixing this in v20 but for 14-19 there isn't much we can do
except unconstifying.

--
Daniel Gustafsson

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: PostgreSQL and OpenSSL 4.0.0
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox