Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s21Tq-00GovB-1G for pgsql-hackers@arkaria.postgresql.org; Wed, 01 May 2024 04:22:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s21Tl-00AuS6-PY for pgsql-hackers@arkaria.postgresql.org; Wed, 01 May 2024 04:22:02 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s21Tk-00AuQw-6l for pgsql-hackers@lists.postgresql.org; Wed, 01 May 2024 04:22:02 +0000 Received: from fhigh8-smtp.messagingengine.com ([103.168.172.159]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s21Tg-000sOg-DF for pgsql-hackers@lists.postgresql.org; Wed, 01 May 2024 04:21:59 +0000 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id D266911400E2; Wed, 1 May 2024 00:21:54 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Wed, 01 May 2024 00:21:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1714537314; x=1714623714; bh=CvWAibA8i6 Y90Bg6HLcZJF7rCJ6lT5hdRnxDFYw3ufQ=; b=UWJWQRC5cT0S93sQ8dERKOgKt4 +IawOTKP54QS4/3agNmc+S0UuKC+zTcYMg66ty0LnqgKrO4DsBUAZyyXMNa6YTFI J4FEcdiH8CMtGh3ExArmL39ThXcbONAVSb49xp3KuVuX4IuXi/uDE+/A9e87fRuC AMA4ntuWdjE77Q8w9pkSlnp166AxduP3RFBd8VXxjpPDyso/7PNu10UNfxl9GvNO d7wu1XI0QkYCGYtGTZJpLxU+rUZN3jl6Axednf+sbIPK5oFLzP4H2EJZ4IXwqGUH cwpq/mov72A5fBM/cTn55BR5HLSfMsyUPElykOcYmfAEsM2yf4gl0mNDG3rQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1714537314; x=1714623714; bh=CvWAibA8i6Y90Bg6HLcZJF7rCJ6l T5hdRnxDFYw3ufQ=; b=NEyQu8i+XgEWQJr5Wp0MorKnG051oBDKoTU0UQTK+cJc 0T/iRdLQs6KfQllxq0L1vRMhAo99hcs87eCwBiQ+7NWxx/DKpWS0swOJFGgj9wE5 auZOVQCHPzx9TCIbP+6xH6iGmdgiGW+y5qIp7LycY+9sUD/bIO3Y+QusdyhJbxO8 k1frTS3AmfP+lYrGrgJZ+As9FyjKZ93gilSHx2jmK61zwa1io4ZaZEmxDbhfwyDO of/VzlpuaFC3+Rv4BMRs3Gste/Fcfl1KVf5kBEb6nJN1pCi2iY7PBLQhWKzz0RFp LF8UF1n0p7T86FienLrMPPlYD/WOlxwobpjPLTTI1g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdduhedgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlvdefmdenucfjughrpeffhffvvefukfhfgggtuggjsehgtderredt tddvnecuhfhrohhmpefoihgthhgrvghlucfrrghquhhivghruceomhhitghhrggvlhesph grqhhuihgvrhdrgiihiieqnecuggftrfgrthhtvghrnhephfetudeutedtuddufffhvedv jeduleejgfetfeeltdfggeffheejhfduteevveelnecuffhomhgrihhnpehophgvnhhssh hlrdhorhhgpdgrrhgthhhlihhnuhigrdhorhhgnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiihii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 1 May 2024 00:21:51 -0400 (EDT) Date: Wed, 1 May 2024 13:21:32 +0900 From: Michael Paquier To: Daniel Gustafsson Cc: Peter Eisentraut , Jacob Champion , Thomas Munro , Postgres hackers , mikael.kjellstrom@gmail.com, Tom Lane Subject: Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~? Message-ID: References: <885D539C-6711-470A-8CD7-44D55E8E5183@yesql.se> <5f746aeb-105e-4a29-babf-54ee0d6e4f6f@eisentraut.org> <1D766D04-0B6C-4DB2-91B7-836B0C9A146E@yesql.se> <56D38F23-11BB-4A30-866F-9D6EA21ABA25@yesql.se> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6cJ6hj6+MufV+J2l" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --6cJ6hj6+MufV+J2l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 27, 2024 at 08:33:55PM +0200, Daniel Gustafsson wrote: > > On 27 Apr 2024, at 20:32, Daniel Gustafsson wrote: >=20 > > That's a good point, there is potential for more code removal here. The > > attached 0001 takes a stab at it while it's fresh in mind, I'll revisit= before > > the July CF to see if there is more that can be done. >=20 > ..and again with the attachment. Not enough coffee. My remark was originally about pq_init_crypto_lib that does the locking initialization, and your new patch a bit more, as of: - /* This stuff need be done only once. */ - if (!SSL_initialized) - { -#ifdef HAVE_OPENSSL_INIT_SSL - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); -#else - OPENSSL_config(NULL); - SSL_library_init(); - SSL_load_error_strings(); -#endif - SSL_initialized =3D true; - } OPENSSL_init_ssl() has replaced SSL_library_init(), marked as deprecated, and even this step is mentioned as not required anymore with 1.1.0~: https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html Same with OPENSSL_init_crypto(), replacing OPENSSL_config(), again not required in 1.1.0~: https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html SSL_load_error_strings() is recommended as not to use in 1.1.0, replaced by the others: https://www.openssl.org/docs/man3.2/man3/SSL_load_error_strings.html While OpenSSL will be able to cope with that, how much of that applies to LibreSSL? SSL_load_error_strings(), OPENSSL_init_ssl(), OPENSSL_CONFIG() are OK based on the docs: https://man.archlinux.org/man/extra/libressl/libressl-OPENSSL_config.3.en https://man.archlinux.org/man/extra/libressl/libressl-OPENSSL_init_ssl.3.en https://man.archlinux.org/man/extra/libressl/libressl-ERR_load_crypto_strin= gs.3.en So +1 to remove all this code after a closer lookup. I would recommend to update the documentation of PQinitSSL and PQinitOpenSSL to tell that these become useless and are deprecated. ERR_clear_error(); - #ifdef USE_RESOWNER_FOR_HMAC Some noise diff. -- Michael --6cJ6hj6+MufV+J2l Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmYxw0wACgkQnvQgOdby QH3+QQ//ZeYrXuQDoUCaqUwNz10QYadmVxOr9BkYJwjhdB72l8CkXU+9p3h26YDq IWda4/7v8UNO2ncFwO4WKPHGX0cQPOeisMK8BUaRM7JHFcL5nwBxGHM3zZYDFG6t GQlip4xARYv2zC6A52gARvXVxuKs4ml8xh4cwkTAMcQnMQl7c0pIw91gPxHwEJRp MCHtBc/g3a8SVwGukxrbpexXiDNXscAgq+AIsUYcxJQSAUjvGXgLpOZGgjU79mQ8 CejhS6tYv3ERl4t0FtTyA0eRJfYhGPRpv1bSsiCxakhzAZMOB3GCt8JKc3JSg0zq 29ge/0tWigCh0fqok/Obn4S2HaLXZk0HcPcA4jBg+pVWywTg2QlfuO0gTl5ggvUd JRw3HxrCjz64l26gya3DPWHpMkRWDPLeTFsskLlsVSWkL2AlCxt2iGF5QsH36zos 5F+6TnjVET/KT9K5vvl8Ko2jl+dxOwJpohxTQdxg+chbTMEThZXJmDYNRVm6bLP1 A0ZNjDE5c4wgnk2twAAUyQLQsc4/KD09924HaiaIhVdb/h71W3If8+xVLmpWhW/f OohgwVS/dXP/jNlOAxxkRcwhfrn5iU0AZ+zq0As0nHrIrVyKrXsajNzAyEeXKVu5 QtSs8x5Br7T0ZdhO01KHgIwWhCGKLgYMjrV11zpO4DgbzvTk+Kc= =slra -----END PGP SIGNATURE----- --6cJ6hj6+MufV+J2l--