On Thu, Jan 02, 2020 at 11:45:37PM -0500, Tom Lane wrote: > Ah. The CF app doesn't understand that (and hence the cfbot ditto), > so you might want to repost just the currently-proposed patch to get > the cfbot to try it.
Yes, let's do that. Here you go with a v2. While on it, I have noticed in the docs a mention to OpenSSL 1.0.0 regarding our sslcompression parameter in libpq, so a paragraph can be removed. -- Michael
From d693a4d78b80d7927d1859e95cf0a3b16766240a Mon Sep 17 00:00:00 2001
From: Michael Paquier <mich...@paquier.xyz>
Date: Fri, 3 Jan 2020 15:47:26 +0900
Subject: [PATCH v2] Remove code older than OpenSSL 0.9.8 and 1.0.0
---
doc/src/sgml/installation.sgml | 2 +-
doc/src/sgml/libpq.sgml | 4 ----
src/backend/libpq/be-secure-openssl.c | 2 --
src/interfaces/libpq/fe-secure-openssl.c | 5 +----
src/test/ssl/t/SSLServer.pm | 4 ----
5 files changed, 2 insertions(+), 15 deletions(-)
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 9c10a897f1..d4904bf5a0 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -254,7 +254,7 @@ su - postgres
encrypted client connections. <productname>OpenSSL</productname> is
also required for random number generation on platforms that do not
have <filename>/dev/urandom</filename> (except Windows). The minimum
- version required is 0.9.8.
+ version required is 1.0.1.
</para>
</listitem>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 66b09da06f..64cff49c4d 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1608,10 +1608,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
compression by default, and many operating system distributions
disable it in prior versions as well, so setting this parameter to on
will not have any effect if the server does not accept compression.
- On the other hand, <productname>OpenSSL</productname> before 1.0.0
- does not support disabling compression, so this parameter is ignored
- with those versions, and whether compression is used depends on the
- server.
</para>
<para>
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 7ad32116ea..62f1fcab2b 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -223,9 +223,7 @@ be_tls_init(bool isServerStart)
}
/* disallow SSL session tickets */
-#ifdef SSL_OP_NO_TICKET /* added in OpenSSL 0.9.8f */
SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
-#endif
/* disallow SSL session caching, too */
SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index ce8e252c09..0e84fc8ac6 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1192,15 +1192,12 @@ initialize_SSL(PGconn *conn)
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
/*
- * Set compression option if the OpenSSL version used supports it (from
- * 1.0.0 on).
+ * Set compression option if necessary.
*/
-#ifdef SSL_OP_NO_COMPRESSION
if (conn->sslcompression && conn->sslcompression[0] == '0')
SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
else
SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
-#endif
return 0;
}
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index 26b5964f4f..005955a2ff 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -132,10 +132,6 @@ sub configure_test_server_for_ssl
print $conf "listen_addresses='$serverhost'\n";
print $conf "log_statement=all\n";
- # Accept even old TLS versions so that builds with older OpenSSL
- # can run the test suite.
- print $conf "ssl_min_protocol_version='TLSv1'\n";
-
# enable SSL and set up server key
print $conf "include 'sslconfig.conf'\n";
--
2.24.1
signature.asc
Description: PGP signature
