Re: Update minimum SSL version

On Thu, Dec 05, 2019 at 11:40:37PM -0500, Tom Lane wrote: > OK, re-reading the thread, I see the point --- old NetBSD has a weird > OpenSSL version that this would break. OK, let's stay compatible > with that on the back branches. So, your patch on HEAD and Daniel's > in the back branches is the

Re: Update minimum SSL version

Michael Paquier writes: > About clear_options, my take is to remove the check on HEAD, and to > apply Daniel's patch on *all* stable branches because I think that we > should not break the business that happened with NetBSD 5 on already > released branches. Does that sound good? OK, re-reading

Re: Update minimum SSL version

On Thu, Dec 05, 2019 at 07:41:14PM -0500, Tom Lane wrote: > It'd be possible to also backpatch the other thread's > 0001-Remove-configure-checks-for-SSL_get_current_compress.patch > as far as v10, but I'm less excited about that -- it'd just save > a few configure cycles, no? Yeah. I'd try not

Re: Update minimum SSL version

Daniel Gustafsson writes: > On 5 Dec 2019, at 15:50, Tom Lane wrote: >> What I'd like to know is whether not >> realizing that SSL_clear_options is present causes any functional >> issues that would justify back-patching a fix. > ISTM that SSL_clear_options is required for turning on

Re: Update minimum SSL version

> On 5 Dec 2019, at 15:50, Tom Lane wrote: > > Daniel Gustafsson writes: >>> On 5 Dec 2019, at 02:48, Michael Paquier wrote: >>> So it seems to me that we are able to correctly >>> detect the presence of this function in the configure checks if >>> building with 1.1.0~, but not other versions.

Re: Update minimum SSL version

Daniel Gustafsson writes: >> On 5 Dec 2019, at 02:48, Michael Paquier wrote: >> So it seems to me that we are able to correctly >> detect the presence of this function in the configure checks if >> building with 1.1.0~, but not other versions. > Yes, we can't use AC_CHECK_FUNCS but would need

Re: Update minimum SSL version

> On 5 Dec 2019, at 02:48, Michael Paquier wrote: > > On Mon, Dec 02, 2019 at 02:09:51PM +0100, Daniel Gustafsson wrote: >> However, looking at the signatures detected by autoconf we can however get an >> idea of which version is used. SSL_clear_options and >> X509_get_signature_nid() >> first

Re: Update minimum SSL version

Peter Eisentraut writes: > On 2019-12-04 13:53, Tom Lane wrote: >> So, what exactly are we going to set as the new minimum version in >> each case? I'll have to go update my trailing-edge-Johnnie buildfarm >> critters, and it'd make sense to have them continue to test the >> oldest

Re: Update minimum SSL version

On Mon, Dec 02, 2019 at 02:09:51PM +0100, Daniel Gustafsson wrote: > However, looking at the signatures detected by autoconf we can however get an > idea of which version is used. SSL_clear_options and X509_get_signature_nid() > first shipped in 1.0.2, while SSL_get_current_compression first

Re: Update minimum SSL version

On 2019-12-04 09:20, Michael Paquier wrote: On Wed, Dec 04, 2019 at 09:10:04AM +0100, Peter Eisentraut wrote: This would mean we'd stop support for RHEL 5, which is probably OK, seeing that even the super-extended support ends in November 2020. Sounds like a plan. I can work on the OpenSSL

Re: Update minimum SSL version

On 2019-12-04 13:53, Tom Lane wrote: So, what exactly are we going to set as the new minimum version in each case? I'll have to go update my trailing-edge-Johnnie buildfarm critters, and it'd make sense to have them continue to test the oldest nominally-supported versions. For OpenSSL it seems

Re: Update minimum SSL version

Peter Eisentraut writes: > On 2019-12-03 12:44, Magnus Hagander wrote: >> On Tue, Dec 3, 2019 at 12:09 PM Michael Paquier > > wrote: >> On Tue, Dec 03, 2019 at 10:10:57AM +0100, Magnus Hagander wrote: >>> Is 1.0.1 considered a separate major from 1.0.0, in this

Re: Update minimum SSL version

On Wed, Dec 04, 2019 at 09:10:04AM +0100, Peter Eisentraut wrote: > This would mean we'd stop support for RHEL 5, which is probably OK, seeing > that even the super-extended support ends in November 2020. Sounds like a plan. I can work on the OpenSSL part, if you need help of course. And if

Re: Update minimum SSL version

On 2019-12-03 12:44, Magnus Hagander wrote: On Tue, Dec 3, 2019 at 12:09 PM Michael Paquier > wrote: On Tue, Dec 03, 2019 at 10:10:57AM +0100, Magnus Hagander wrote: > Is 1.0.1 considered a separate major from 1.0.0, in this reasoning? Because >

Re: Update minimum SSL version

On 2019-12-02 17:39, Tom Lane wrote: Robert Haas writes: ... However, it would be worth putting in some effort to make sure that we give a good error message if this happens. That's an excellent point, but it looks like we're pretty good already. I tried the patch with openssl 0.9.8x, and

Re: Update minimum SSL version

On Tue, Dec 3, 2019 at 12:09 PM Michael Paquier wrote: > On Tue, Dec 03, 2019 at 10:10:57AM +0100, Magnus Hagander wrote: > > Is 1.0.1 considered a separate major from 1.0.0, in this reasoning? > Because > > while retiring 1.0.0 should probably not be that terrible, 1.0.1 is still > > in very

Re: Update minimum SSL version

On Tue, Dec 03, 2019 at 10:10:57AM +0100, Magnus Hagander wrote: > Is 1.0.1 considered a separate major from 1.0.0, in this reasoning? Because > while retiring 1.0.0 should probably not be that terrible, 1.0.1 is still > in very widespread use on most long term supported distributions. 1.0.1 and

Re: Update minimum SSL version

On Tue, Dec 3, 2019 at 4:53 AM Michael Paquier wrote: > On Mon, Dec 02, 2019 at 12:51:26PM -0500, Tom Lane wrote: > > Yah. Although, looking at the code in be-secure-openssl.c, > > it doesn't look that hard to do in an extensible way. > > Something like (untested) > > While we are on the

Re: Update minimum SSL version

On Mon, Dec 02, 2019 at 12:51:26PM -0500, Tom Lane wrote: > Yah. Although, looking at the code in be-secure-openssl.c, > it doesn't look that hard to do in an extensible way. > Something like (untested) While we are on the topic... Here is another wild idea. We discussed not so long ago about

Re: Update minimum SSL version

On Mon, Dec 02, 2019 at 09:59:44AM -0500, Tom Lane wrote: > Is there a simple way to ask the library itself for version info? > It might be worth the cycles to have configure run a small test > program to extract and print that data (not on cross-compile > builds, of course). SSLeay_version():

Re: Update minimum SSL version

Robert Haas writes: > On Mon, Dec 2, 2019 at 11:39 AM Tom Lane wrote: >> Maybe it'd be worth extending that to show the max supported >> version, with some rats-nest of #ifdefs, but I'm not sure if >> it's worth the trouble. > Especially if we mess up the #ifdefs. :-) Yah. Although, looking

Re: Update minimum SSL version

On Mon, Dec 2, 2019 at 11:39 AM Tom Lane wrote: > That's an excellent point, but it looks like we're pretty good > already. I tried the patch with openssl 0.9.8x, and got this > failure at server start: > > FATAL: ssl_min_protocol_version setting TLSv1.2 not supported by this build Oh, that's

Re: Update minimum SSL version

Robert Haas writes: > ... However, it would be worth putting in some > effort to make sure that we give a good error message if this happens. That's an excellent point, but it looks like we're pretty good already. I tried the patch with openssl 0.9.8x, and got this failure at server start:

Re: Update minimum SSL version

On Fri, Nov 29, 2019 at 9:44 PM Michael Paquier wrote: > Actually, no, what I am writing here is incorrect. We should make > sure of that the default configuration is correct at initdb time, and > the patch does not do that. I think that would be overkill. There shouldn't be many people who are

Re: Update minimum SSL version

> On 2 Dec 2019, at 15:59, Tom Lane wrote: > Is there a simple way to ask the library itself for version info? > It might be worth the cycles to have configure run a small test > program to extract and print that data (not on cross-compile > builds, of course). Asking the lib is easy, making

Re: Update minimum SSL version

Peter Eisentraut writes: > On 2019-11-30 04:06, Tom Lane wrote: >> I think the real question we have to answer is this: are we intent on >> making people upgrade ancient openssl installations? > The trade-off is that this makes the defaults better for the vast > majority of users and gives

Re: Update minimum SSL version

Daniel Gustafsson writes: > On 30 Nov 2019, at 03:43, Michael Paquier wrote: >> The buildfarm logs don't directly report the version of OpenSSL used >> as far as I recalled, and a quick lookup shows that.. > Not explicitly, but it would be a nice if it did. Since the version depends > on >

Re: Update minimum SSL version

> On 30 Nov 2019, at 03:43, Michael Paquier wrote: > > On Fri, Nov 29, 2019 at 10:30:47AM -0500, Tom Lane wrote: >> What's the impact going to be on buildfarm members with older openssl >> installations? Perhaps "none", if they aren't running the ssl test >> suite, but we should be clear about

Re: Update minimum SSL version

On 2019-11-30 04:06, Tom Lane wrote: I think the real question we have to answer is this: are we intent on making people upgrade ancient openssl installations? If so, shouldn't we be doing something even more aggressive than this? If not, wouldn't the patch need to try to autoconfigure the

Re: Update minimum SSL version

On 2019-11-29 16:30, Tom Lane wrote: Michael Paquier writes: On Fri, Nov 29, 2019 at 01:40:48PM +0100, Magnus Hagander wrote: +1. As long as we still have support to change it down if needed, it's a good thing to ship with a proper default. +1. What's the impact going to be on buildfarm

Re: Update minimum SSL version

Michael Paquier writes: > On Fri, Nov 29, 2019 at 10:30:47AM -0500, Tom Lane wrote: >> What's the impact going to be on buildfarm members with older openssl >> installations? Perhaps "none", if they aren't running the ssl test >> suite, but we should be clear about it. > Actually, no, what I am

Re: Update minimum SSL version

On Fri, Nov 29, 2019 at 10:30:47AM -0500, Tom Lane wrote: > What's the impact going to be on buildfarm members with older openssl > installations? Perhaps "none", if they aren't running the ssl test > suite, but we should be clear about it. The buildfarm logs don't directly report the version of

Re: Update minimum SSL version

Michael Paquier writes: > On Fri, Nov 29, 2019 at 01:40:48PM +0100, Magnus Hagander wrote: >> +1. As long as we still have support to change it down if needed, it's a >> good thing to ship with a proper default. > +1. What's the impact going to be on buildfarm members with older openssl

Re: Update minimum SSL version

On Fri, Nov 29, 2019 at 01:40:48PM +0100, Magnus Hagander wrote: > +1. As long as we still have support to change it down if needed, it's a > good thing to ship with a proper default. +1. -- Michael signature.asc Description: PGP signature

Re: Update minimum SSL version

On Fri, Nov 29, 2019 at 11:10 AM Daniel Gustafsson wrote: > > On 29 Nov 2019, at 08:36, Peter Eisentraut < > peter.eisentr...@2ndquadrant.com> wrote: > > > > I propose to change the default of ssl_min_protocol_version to TLSv1.2 > (from TLSv1, which means 1.0). Older versions would still be

Re: Update minimum SSL version

> On 29 Nov 2019, at 08:36, Peter Eisentraut > wrote: > > I propose to change the default of ssl_min_protocol_version to TLSv1.2 (from > TLSv1, which means 1.0). Older versions would still be supported, just not > by default. +1 for having a sane default with a way to fall back to older