On Wed Jan 24, 2024 at 9:58 AM CST, Jelte Fennema-Nio wrote:
I ran into an SSL issue when using the MSYS2/MINGW build of Postgres
for the PgBouncer test suite. Postgres crashed whenever you tried to
open an ssl connection to it.
https://github.com/msys2/MINGW-packages/issues/19851
I'm wondering
I ran into an SSL issue when using the MSYS2/MINGW build of Postgres
for the PgBouncer test suite. Postgres crashed whenever you tried to
open an ssl connection to it.
https://github.com/msys2/MINGW-packages/issues/19851
I'm wondering if the issue described in this thread could be related
to the i
On 2023-Nov-29, Tom Lane wrote:
> Kind of odd that, with that mission statement, they are adding
> BIO_{get,set}_app_data on the justification that OpenSSL has it
> and Postgres is starting to use it. Nonetheless, that commit
> also seems to prove the point about lack of API/ABI stability.
As I
On Wed Nov 29, 2023 at 10:32 AM CST, Tom Lane wrote:
Daniel Gustafsson writes:
> On 29 Nov 2023, at 16:21, Tristan Partin wrote:
>> Funnily enough, here[0] is BoringSSL adding the BIO_{get,set}_app_data()
APIs.
> Still doesn't seem like a good candidate for a postgres TLS library since they
>
Daniel Gustafsson writes:
> On 29 Nov 2023, at 16:21, Tristan Partin wrote:
>> Funnily enough, here[0] is BoringSSL adding the BIO_{get,set}_app_data()
>> APIs.
> Still doesn't seem like a good candidate for a postgres TLS library since they
> themselves claim:
>"Although BoringSSL is an op
> On 29 Nov 2023, at 16:21, Tristan Partin wrote:
>
> On Tue Nov 28, 2023 at 9:42 AM CST, Tom Lane wrote:
>> "Tristan Partin" writes:
>> > When you say "this" are you referring to the patch I sent or adding >
>> > support for BoringSSL?
>>
>> I have no interest in supporting BoringSSL.
>
> Fu
On Tue Nov 28, 2023 at 9:42 AM CST, Tom Lane wrote:
"Tristan Partin" writes:
> When you say "this" are you referring to the patch I sent or adding
> support for BoringSSL?
I have no interest in supporting BoringSSL.
Funnily enough, here[0] is BoringSSL adding the BIO_{get,set}_app_data()
A
FTR, I've pushed this and the buildfarm seems happy. In particular,
I just updated indri to the latest MacPorts packages including
OpenSSL 3.2.0, so we'll have coverage of that going forward.
regards, tom lane
On Tue Nov 28, 2023 at 10:06 AM CST, Tom Lane wrote:
"Tristan Partin" writes:
> On Tue Nov 28, 2023 at 9:42 AM CST, Tom Lane wrote:
>> I have no interest in supporting BoringSSL. I just replied to
>> Daniel's comment because it seemed to resolve the last concern
>> about whether your patch is O
"Tristan Partin" writes:
> On Tue Nov 28, 2023 at 9:42 AM CST, Tom Lane wrote:
>> I have no interest in supporting BoringSSL. I just replied to
>> Daniel's comment because it seemed to resolve the last concern
>> about whether your patch is OK.
> If you haven't started fixing the tests, then I'l
On Tue Nov 28, 2023 at 9:42 AM CST, Tom Lane wrote:
"Tristan Partin" writes:
> When you say "this" are you referring to the patch I sent or adding
> support for BoringSSL?
I have no interest in supporting BoringSSL. I just replied to
Daniel's comment because it seemed to resolve the last con
"Tristan Partin" writes:
> When you say "this" are you referring to the patch I sent or adding
> support for BoringSSL?
I have no interest in supporting BoringSSL. I just replied to
Daniel's comment because it seemed to resolve the last concern
about whether your patch is OK.
On Tue Nov 28, 2023 at 9:31 AM CST, Tom Lane wrote:
"Tristan Partin" writes:
> How are you guys running the tests? I have PG_TEST_EXTRA=ssl and
> everything passes for me. Granted, I am using the Meson build.
I'm doing what it says in test/ssl/README:
make check PG_TEST_EXTRA=ssl
I
"Tristan Partin" writes:
> How are you guys running the tests? I have PG_TEST_EXTRA=ssl and
> everything passes for me. Granted, I am using the Meson build.
I'm doing what it says in test/ssl/README:
make check PG_TEST_EXTRA=ssl
I don't know whether the meson build has support for runn
How are you guys running the tests? I have PG_TEST_EXTRA=ssl and
everything passes for me. Granted, I am using the Meson build.
--
Tristan Partin
Neon (https://neon.tech)
On Tue Nov 28, 2023 at 9:00 AM CST, Tom Lane wrote:
Daniel Gustafsson writes:
> Thats not an issue, we don't support building with BoringSSL.
Right. I'll work on getting this pushed, unless someone else
is already on it?
When you say "this" are you referring to the patch I sent or adding
su
Daniel Gustafsson writes:
> Thats not an issue, we don't support building with BoringSSL.
Right. I'll work on getting this pushed, unless someone else
is already on it?
regards, tom lane
> On 28 Nov 2023, at 01:29, Bo Anderson wrote:
> It probably doesn’t exist in BoringSSL but neither does a lot of things.
Thats not an issue, we don't support building with BoringSSL.
--
Daniel Gustafsson
It was first added in SSLeay 0.8.1 which predates OpenSSL let alone the
LibreSSL fork.
It probably doesn’t exist in BoringSSL but neither does a lot of things.
> On 28 Nov 2023, at 00:21, Tom Lane wrote:
>
> Michael Paquier writes:
>> Interesting. I have yet to look at that in details, but
Michael Paquier writes:
> Or even simpler: plant a (ssl\/tls|sslv3) in these strings.
Yeah, weakening the pattern match was what I had in mind.
I was thinking of something like "ssl[a-z0-9/]*" but your
proposal works too.
regards, tom lane
On Tue, Nov 28, 2023 at 12:55:37PM +0900, Michael Paquier wrote:
> Sigh. We could use an extra check_pg_config() with a routine new in
> 3.2.0. Looking at CHANGES.md, SSL_get0_group_name() seems to be one
> generic choice here.
Or even simpler: plant a (ssl\/tls|sslv3) in these strings.
--
Micha
On Mon, Nov 27, 2023 at 09:04:23PM -0500, Tom Lane wrote:
> I can confirm that we also fail when using up-to-date MacPorts, which
> seems to have started shipping 3.2.0 last week or so. I tried the v3
> patch, and while that stops the crash, it looks like 3.2.0 has also
> made some random changes
On Mon, Nov 27, 2023 at 08:32:28PM -0500, Tom Lane wrote:
> Since this is something we'd need to back-patch, OpenSSL 0.9.8
> and later are relevant: the v12 branch still supports those.
> It's moot given Bo's claim about the origin of the function,
> though.
Yep, unfortunately this needs to be che
I can confirm that we also fail when using up-to-date MacPorts, which
seems to have started shipping 3.2.0 last week or so. I tried the v3
patch, and while that stops the crash, it looks like 3.2.0 has also
made some random changes in error messages:
# +++ tap check in src/test/ssl +++
t/001_sslt
"Tristan Partin" writes:
> On Mon Nov 27, 2023 at 7:14 PM CST, Tom Lane wrote:
>> ... If the function
>> does exist in 0.9.8 then I concur that we don't need to test.
> I have gone back all the way to 1.0.0 and confirmed that the function
> exists. Didn't choose to go further than that since Pos
On Mon Nov 27, 2023 at 7:14 PM CST, Tom Lane wrote:
"Tristan Partin" writes:
> On Mon Nov 27, 2023 at 6:21 PM CST, Tom Lane wrote:
>> What about LibreSSL? In general, I'm not too pleased with just assuming
>> that BIO_get_app_data exists.
> Falling back to what existed before is invalid.
Well
"Tristan Partin" writes:
> On Mon Nov 27, 2023 at 6:21 PM CST, Tom Lane wrote:
>> What about LibreSSL? In general, I'm not too pleased with just assuming
>> that BIO_get_app_data exists.
> Falling back to what existed before is invalid.
Well, sure it only worked by accident, but it did work wit
On Mon Nov 27, 2023 at 6:21 PM CST, Tom Lane wrote:
Michael Paquier writes:
> Interesting. I have yet to look at that in details, but
> BIO_get_app_data() exists down to 0.9.8, which is the oldest version
> we need to support for stable branches. So that looks like a safe
> bet.
What about Li
Michael Paquier writes:
> Interesting. I have yet to look at that in details, but
> BIO_get_app_data() exists down to 0.9.8, which is the oldest version
> we need to support for stable branches. So that looks like a safe
> bet.
What about LibreSSL? In general, I'm not too pleased with just ass
On Mon Nov 27, 2023 at 5:53 PM CST, Michael Paquier wrote:
On Mon, Nov 27, 2023 at 12:33:49PM -0600, Tristan Partin wrote:
> -#ifndef HAVE_BIO_GET_DATA
> -#define BIO_get_data(bio) (bio->ptr)
> -#define BIO_set_data(bio, data) (bio->ptr = data)
> -#endif
Shouldn't this patch do a refresh of conf
On Mon, Nov 27, 2023 at 12:33:49PM -0600, Tristan Partin wrote:
> - res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
> + res = secure_raw_read(((Port *) BIO_get_app_data(h)), buf,
> size);
> BIO_clear_retry_flags(h);
> if (res <= 0)
Here is a v2 which adds back a comment that was not meant to be removed.
--
Tristan Partin
Neon (https://neon.tech)
From 4bcb73eab9ceba950581a890c52820a81134f7e4 Mon Sep 17 00:00:00 2001
From: Tristan Partin
Date: Mon, 27 Nov 2023 11:49:52 -0600
Subject: [PATCH v2] Use BIO_{get,set}_app_data() i
Nazir,
Thanks for opening a thread. Was just about to start one, here what we
came up with so far.
Homebrew users discovered a regression[0] when using Postgres compiled
and linked against OpenSSL version 3.2.
$ psql "postgresql://$DB?sslmode=require"
psql: error: connection to server at "r
Hi,
SSL tests fail on OpenSSL v3.2.0. I tested both on macOS (CI) and
debian (my local) and both failed with the same errors. To trigger
these errors on CI, you may need to clear the repository cache;
otherwise macOS won't install the v3.2.0 of the OpenSSL.
001_ssltests:
psql exited with s
34 matches
Mail list logo
