> On 28 Nov 2025, at 11:38, <Marco.Lebahn@kfw.de> <Marco.Lebahn@kfw.de> wrote:
>
> It seems that < 16.11 does and not check if I use "bf" from legacy provider
postgres does not consider which providers are loaded at all, since we support
OpenSSL 1.1.1+ the code doesn't even know of the provider concept. Further,
pgcrypto in v16 hasn't been changed at all since January 2024. If 16.10 allows
blowfish and 16.11 doesn't then, as Tom suggested upthread, you need to look at
which OpenSSL pgcrypto.so is linked against and how they are configured.
> :~> openssl list -providers
> Providers:
> default
> name: OpenSSL Default Provider
> version: 3.2.3
> status: active
>
> :~> psql postgres
> psql (16.10)
> Type "help" for help.
>
> postgres=# SELECT encrypt('sdafgsdfgsdafgasdf', 'thelongkeyfoobar', 'bf');
> encrypt
> ----------------------------------------------------
> \x74a761b105fbc8f535f666e952e00018deb1349fbf27a87b
> (1 row)
The above pgcrypto is highly unlikely to run against the same OpenSSL instance
(lib + configuration) in that case, note this from the OpenSSL 3.0 changelog:
* Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
RC4, RC5, and DES to the legacy provider.
OpenSSL doesn't support blowfish without the legacy provider loaded. Your
16.10 is most likely linked against another version of OpenSSL, or at least
using another OpenSSL configuration/openssldir.
--
Daniel Gustafsson
