public inbox for [email protected]
help / color / mirror / Atom feedFrom: Michael Paquier <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: Thomas Munro <[email protected]>
Cc: Postgres hackers <[email protected]>
Cc: [email protected]
Cc: Tom Lane <[email protected]>
Subject: Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Date: Wed, 1 May 2024 13:21:32 +0900
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Sat, Apr 27, 2024 at 08:33:55PM +0200, Daniel Gustafsson wrote:
> > On 27 Apr 2024, at 20:32, Daniel Gustafsson <[email protected]> wrote:
>
> > That's a good point, there is potential for more code removal here. The
> > attached 0001 takes a stab at it while it's fresh in mind, I'll revisit before
> > the July CF to see if there is more that can be done.
>
> ..and again with the attachment. Not enough coffee.
My remark was originally about pq_init_crypto_lib that does the
locking initialization, and your new patch a bit more, as of:
- /* This stuff need be done only once. */
- if (!SSL_initialized)
- {
-#ifdef HAVE_OPENSSL_INIT_SSL
- OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#else
- OPENSSL_config(NULL);
- SSL_library_init();
- SSL_load_error_strings();
-#endif
- SSL_initialized = true;
- }
OPENSSL_init_ssl() has replaced SSL_library_init(), marked as
deprecated, and even this step is mentioned as not required anymore
with 1.1.0~:
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html
Same with OPENSSL_init_crypto(), replacing OPENSSL_config(), again not
required in 1.1.0~:
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html
SSL_load_error_strings() is recommended as not to use in 1.1.0,
replaced by the others:
https://www.openssl.org/docs/man3.2/man3/SSL_load_error_strings.html
While OpenSSL will be able to cope with that, how much of that applies
to LibreSSL? SSL_load_error_strings(), OPENSSL_init_ssl(),
OPENSSL_CONFIG() are OK based on the docs:
https://man.archlinux.org/man/extra/libressl/libressl-OPENSSL_config.3.en
https://man.archlinux.org/man/extra/libressl/libressl-OPENSSL_init_ssl.3.en
https://man.archlinux.org/man/extra/libressl/libressl-ERR_load_crypto_strings.3.en
So +1 to remove all this code after a closer lookup. I would
recommend to update the documentation of PQinitSSL and PQinitOpenSSL
to tell that these become useless and are deprecated.
ERR_clear_error();
-
#ifdef USE_RESOWNER_FOR_HMAC
Some noise diff.
--
Michael
Attachments:
[application/pgp-signature] signature.asc (833B, ../[email protected]/2-signature.asc)
download
view thread (25+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox