Postgres Pro
Downloads
Home   >   mailing lists

Thread: Re: Retire support for OpenSSL 1.1.1 due to raised API requirements

Re: Retire support for OpenSSL 1.1.1 due to raised API requirements

From
Tom Lane
Date:
Daniel Gustafsson <daniel@yesql.se> writes:
> The patchset in https://commitfest.postgresql.org/49/5025/ which adds support
> for configuring cipher suites in TLS 1.3 handshakes require an API available in
> OpenSSL 1.1.1 and onwards.  With that as motivation I'd like to propose that we
> remove support for OpenSSL 1.1.0 and set the minimum required version to 1.1.1.
> OpenSSL 1.1.0 was EOL in September 2019 and was never an LTS version, so it's
> not packaged in anything anymore AFAICT and should be very rare in production
> use in conjunction with an updated postgres.  1.1.1 LTS will be 2 years EOL by
> the time v18 ships so I doubt this will be all that controversial.

Yeah ... the alternative would be to conditionally compile the new
functionality.  That doesn't seem like a productive use of developer
time if it's supporting just one version that should be extinct in
the wild by now.

            regards, tom lane

Re: Retire support for OpenSSL 1.1.1 due to raised API requirements

From
Daniel Gustafsson
Date:
> On 9 Sep 2024, at 16:48, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Daniel Gustafsson <daniel@yesql.se> writes:
>> The patchset in https://commitfest.postgresql.org/49/5025/ which adds support
>> for configuring cipher suites in TLS 1.3 handshakes require an API available in
>> OpenSSL 1.1.1 and onwards.  With that as motivation I'd like to propose that we
>> remove support for OpenSSL 1.1.0 and set the minimum required version to 1.1.1.
>> OpenSSL 1.1.0 was EOL in September 2019 and was never an LTS version, so it's
>> not packaged in anything anymore AFAICT and should be very rare in production
>> use in conjunction with an updated postgres.  1.1.1 LTS will be 2 years EOL by
>> the time v18 ships so I doubt this will be all that controversial.
>
> Yeah ... the alternative would be to conditionally compile the new
> functionality.  That doesn't seem like a productive use of developer
> time if it's supporting just one version that should be extinct in
> the wild by now.

Agreed.  OpenSSL 1.1.1 is very different story and I suspect we'll be stuck on
that level for some time, but 1.1.0 is gone from production use.

--
Daniel Gustafsson

Re: Retire support for OpenSSL 1.1.1 due to raised API requirements

From
Daniel Gustafsson
Date:
> On 10 Sep 2024, at 00:53, Michael Paquier <michael@paquier.xyz> wrote:
>
> On Mon, Sep 09, 2024 at 11:29:09PM +0200, Daniel Gustafsson wrote:
>> Agreed.  OpenSSL 1.1.1 is very different story and I suspect we'll be stuck on
>> that level for some time, but 1.1.0 is gone from production use.
>
> The cleanup induced by the removal of 1.1.0 is minimal.  I'm on board
> about your argument with SSL_CTX_set_ciphersuites() to drop 1.1.0 and
> simplify the other feature.

Yeah, the change to existing code is trivial but avoiding adding a kluge to
handle versions without the relevant API will save complexity.  Thanks for
review.

This change will be committed together with the TLSv1.3 cipher suite pathcset,
just wanted to bring it up here and not hide it in another thread.

--
Daniel Gustafsson