Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2017-04-16 Thread Tom Lane
Andreas Karlsson writes: > On 04/16/2017 03:14 AM, Tom Lane wrote: >> 1. Back-patch that patch, probably also including the followup adjustments >> in 86029b31e and 36a3be654. > Given that I cannot recall seeing any complaints about the behavior of > 9.4 compared to 9.3 I am

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2017-04-16 Thread Andreas Karlsson
On 04/16/2017 03:14 AM, Tom Lane wrote: 1. Back-patch that patch, probably also including the followup adjustments in 86029b31e and 36a3be654. 2. Add #if's to use 31cf1a1a4's coding with OpenSSL >= 1.1, while keeping the older code for use when built against older OpenSSLs. 3.

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2017-04-15 Thread Tom Lane
I wrote: > If we want to go any further back with 1.1 support, we have a range > of options: > 1. Back-patch that patch, probably also including the followup adjustments > in 86029b31e and 36a3be654. > 2. Add #if's to use 31cf1a1a4's coding with OpenSSL >= 1.1, while keeping >the older code

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2017-04-15 Thread Tom Lane
Andreas Karlsson writes: > On 09/15/2016 05:38 PM, Alvaro Herrera wrote: >> I suppose some interested party could grab the patch that Heikki >> committed to the new branches and produce a back-patch that can be >> applied to the older branches. > Here is the result of

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-17 Thread Andreas Karlsson
On 09/16/2016 04:11 PM, Christoph Berg wrote: Thanks for the patch! I just tried to apply it to 9.2. There was a conflict in configure.in which was trivial to resolve. Another conflict in contrib/pgcrypto/pgcrypto.c was not applicable because the code doesn't seem to exist (didn't try very

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-16 Thread Christoph Berg
Re: To Heikki Linnakangas 2016-09-15 <20160915213406.2mjlhcg7px3sa...@msg.df7cb.de> > > Can you elaborate? Are you saying that Debian 9 (strect) will not ship > > OpenSSL 1.0.2 anymore, and will require using OpenSSL 1.1.0? > > I thought that was the plan, but upon asking on #debian-devel, it >

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Tom Lane
Andreas Karlsson writes: > On 09/15/2016 05:38 PM, Alvaro Herrera wrote: >> I suppose some interested party could grab the patch that Heikki >> committed to the new branches and produce a back-patch that can be >> applied to the older branches. > Here is the result of

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Andreas Karlsson
On 09/15/2016 05:38 PM, Alvaro Herrera wrote: I suppose some interested party could grab the patch that Heikki committed to the new branches and produce a back-patch that can be applied to the older branches. Here is the result of backporting the sum of the two patches on top of

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Christoph Berg
Re: Heikki Linnakangas 2016-09-15 <7e4991a9-410f-5e1f-2a3a-e918e4a4b...@iki.fi> > > I'm afraid it's not that easy - Debian 9 (stretch) will release at the > > beginning of next year, and apt.postgresql.org will want to build > > 9.2/9.3/9.4 for that distribution. I guess yum.postgresql.org will >

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Heikki Linnakangas
On 09/15/2016 05:33 PM, Christoph Berg wrote: Re: Michael Paquier 2016-09-15 On Thu, Sep 15, 2016 at 8:57 PM, Heikki Linnakangas wrote: I backpatched this to 9.5, but not further than that. The functions

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Alvaro Herrera
Christoph Berg wrote: > Re: Michael Paquier 2016-09-15 > > > On Thu, Sep 15, 2016 at 8:57 PM, Heikki Linnakangas wrote: > > > I backpatched this to 9.5, but not further than that. The functions this > > >

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Christoph Berg
Re: Michael Paquier 2016-09-15 > On Thu, Sep 15, 2016 at 8:57 PM, Heikki Linnakangas wrote: > > I backpatched this to 9.5, but not further than that. The functions this > > modified were moved around in 9.5, so

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Michael Paquier
On Thu, Sep 15, 2016 at 8:57 PM, Heikki Linnakangas wrote: > I backpatched this to 9.5, but not further than that. The functions this > modified were moved around in 9.5, so the patch wouldn't apply as is. It > wouldn't be difficult to back-patch further if there's demand, but

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-15 Thread Heikki Linnakangas
On 09/15/2016 03:16 AM, Andreas Karlsson wrote: Now for a review: It looks generally good but I think I saw one error. In fe-secure-openssl.c your code still calls SSL_library_init() in OpenSSL 1.1. I think it should be enough to just call OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) like

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-14 Thread Andreas Karlsson
On 09/15/2016 02:03 AM, Andreas Karlsson wrote: On 09/12/2016 06:51 PM, Heikki Linnakangas wrote: Changes since last version: * Added more error checks to the my_BIO_s_socket() function. Check for NULL result from malloc(). Check the return code of BIO_meth_set_*() functions; looking at

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-14 Thread Andreas Karlsson
On 09/12/2016 06:51 PM, Heikki Linnakangas wrote: Changes since last version: * Added more error checks to the my_BIO_s_socket() function. Check for NULL result from malloc(). Check the return code of BIO_meth_set_*() functions; looking at OpenSSL sources, they always succeed, but all the

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-12 Thread Michael Paquier
On Tue, Sep 13, 2016 at 1:51 AM, Heikki Linnakangas wrote: > I planned to commit this today, but while reading through it and testing, I > ended up doing a bunch more changes, so this deserves another round of > review. OK, I am giving it a try. Note to people using OSX: at

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-12 Thread Heikki Linnakangas
On 09/05/2016 02:52 PM, Heikki Linnakangas wrote: On 09/05/2016 03:23 AM, Tom Lane wrote: Judging by the number of people who have popped up recently with their own OpenSSL 1.1 patches, I think there is going to be a lot of demand for back-patching some sort of 1.1 support into our back

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-05 Thread Heikki Linnakangas
On 09/05/2016 03:12 AM, Andreas Karlsson wrote: On 08/30/2016 08:42 AM, Heikki Linnakangas wrote: There's the ResourceOwner mechanism, see src/backend/utils/resowner/. That would be the proper way to do this. Call RegisterResourceReleaseCallback() when the context is allocated, and have the

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-04 Thread Michael Paquier
On Mon, Sep 5, 2016 at 9:32 AM, Andreas Karlsson wrote: > On 09/05/2016 02:23 AM, Tom Lane wrote: >> >> Judging by the number of people who have popped up recently with their >> own OpenSSL 1.1 patches, I think there is going to be a lot of demand for >> back-patching some sort

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-04 Thread Andreas Karlsson
On 09/05/2016 02:23 AM, Tom Lane wrote: Judging by the number of people who have popped up recently with their own OpenSSL 1.1 patches, I think there is going to be a lot of demand for back-patching some sort of 1.1 support into our back branches. All this talk of refactoring does not sound

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-04 Thread Tom Lane
Andreas Karlsson writes: > On 08/30/2016 08:42 AM, Heikki Linnakangas wrote: >> PS. I just remembered that I've wanted to refactor the pgcrypto calls >> for symmetric encryption to use the newer EVP API for some time, and >> even posted a patch for that >>

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-09-04 Thread Andreas Karlsson
On 08/30/2016 08:42 AM, Heikki Linnakangas wrote: There's the ResourceOwner mechanism, see src/backend/utils/resowner/. That would be the proper way to do this. Call RegisterResourceReleaseCallback() when the context is allocated, and have the callback free it. One pitfall to watch out for is

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-30 Thread Heikki Linnakangas
On 08/30/2016 03:26 AM, Andreas Karlsson wrote: On 08/26/2016 11:31 AM, Heikki Linnakangas wrote: On 07/05/2016 04:46 PM, Andreas Karlsson wrote: @@ -280,8 +287,9 @@ px_find_digest(const char *name, PX_MD **res) digest = px_alloc(sizeof(*digest)); digest->algo = md; -

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-29 Thread Andreas Karlsson
On 08/26/2016 11:31 AM, Heikki Linnakangas wrote: On 07/05/2016 04:46 PM, Andreas Karlsson wrote: @@ -280,8 +287,9 @@ px_find_digest(const char *name, PX_MD **res) digest = px_alloc(sizeof(*digest)); digest->algo = md; -EVP_MD_CTX_init(>ctx); -if (EVP_DigestInit_ex(>ctx,

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-29 Thread Andreas Karlsson
On 08/29/2016 07:22 PM, Heikki Linnakangas wrote: Pushed with some small doc fixes, thanks Andreas! I'll continue reviewing the rest of the patches. Thanks! Andreas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription:

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-29 Thread Rémi Zara
> Le 29 août 2016 à 19:46, Heikki Linnakangas a écrit : > > > Tom, Rémi, can you fix locust and prairiedog, please, by updating OpenSSL or > removing --with-openssl? > Hi, Should be OK for locust on next build. Rémi -- Sent via pgsql-hackers mailing list

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-29 Thread Tom Lane
Heikki Linnakangas writes: > Buildfarm animals "locust" and "prairiedog" are not happy with this. > They seem to be using OpenSSL 0.9.7, as they failed with errors related > to those ECDH calls: prairiedog definitely is, and since locust is also an ancient OS X version, that's

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-29 Thread Heikki Linnakangas
On 08/29/2016 08:22 PM, Heikki Linnakangas wrote: On 08/27/2016 05:15 PM, Peter Eisentraut wrote: On 8/26/16 9:26 PM, Andreas Karlsson wrote: I have attached a patch which removes the < 0.9.8 compatibility code. Should we also add a version check to configure? We do not have any such check

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-29 Thread Heikki Linnakangas
On 08/27/2016 05:15 PM, Peter Eisentraut wrote: On 8/26/16 9:26 PM, Andreas Karlsson wrote: I have attached a patch which removes the < 0.9.8 compatibility code. Should we also add a version check to configure? We do not have any such check currently. I think that is not necessary. I was

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-27 Thread Peter Eisentraut
On 8/26/16 9:26 PM, Andreas Karlsson wrote: > I have attached a patch which removes the < 0.9.8 compatibility code. > Should we also add a version check to configure? We do not have any such > check currently. I think that is not necessary. -- Peter Eisentraut

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-27 Thread Michael Paquier
On Sat, Aug 27, 2016 at 2:04 AM, Heikki Linnakangas wrote: > On 08/26/2016 07:44 PM, Tom Lane wrote: >> Peter Eisentraut writes: >> Also, I get this on fully-up-to-date OS X (El Capitan): >> >> $ openssl version >> OpenSSL 0.9.8zh 14 Jan 2016 >

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-26 Thread Andreas Karlsson
On 08/26/2016 07:04 PM, Heikki Linnakangas wrote: On 08/26/2016 07:44 PM, Tom Lane wrote: Peter Eisentraut writes: On 8/26/16 5:31 AM, Heikki Linnakangas wrote: I think now would be a good time to drop support for OpenSSL versions older than 0.9.8. OpenSSL

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-26 Thread Tom Lane
Heikki Linnakangas writes: > Yeah, they want people to move to their own SSL library [1]. > [1] I couldn't find any official statement, but lots of blog posts > saying the same thing. As I recall, the deprecation warning messages said that in so many words. That probably

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-26 Thread Heikki Linnakangas
On 08/26/2016 07:44 PM, Tom Lane wrote: Peter Eisentraut writes: On 8/26/16 5:31 AM, Heikki Linnakangas wrote: I think now would be a good time to drop support for OpenSSL versions older than 0.9.8. OpenSSL don't even support 0.9.8 anymore, although there are

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-26 Thread Tom Lane
Peter Eisentraut writes: > On 8/26/16 5:31 AM, Heikki Linnakangas wrote: >> I think now would be a good time to drop support for OpenSSL versions >> older than 0.9.8. OpenSSL don't even support 0.9.8 anymore, although >> there are probably distributions out

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-26 Thread Peter Eisentraut
On 8/26/16 5:31 AM, Heikki Linnakangas wrote: > I think now would be a good time to drop support for OpenSSL versions > older than 0.9.8. OpenSSL don't even support 0.9.8 anymore, although > there are probably distributions out there that still provide patches > for it. But OpenSSL 0.9.7 and

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-08-26 Thread Heikki Linnakangas
On 07/05/2016 04:46 PM, Andreas Karlsson wrote: @@ -280,8 +287,9 @@ px_find_digest(const char *name, PX_MD **res) digest = px_alloc(sizeof(*digest)); digest->algo = md; - EVP_MD_CTX_init(>ctx); - if (EVP_DigestInit_ex(>ctx, digest->algo, NULL) == 0) +

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-05 Thread Andreas Karlsson
On 07/05/2016 11:13 AM, Victor Wagner wrote: On Fri, 1 Jul 2016 02:27:03 +0200 Andreas Karlsson wrote: 0003-Remove-OpenSSL-1.1-deprecation-warnings.patch Silence all warnings. This commit changes more things and is not necessary for getting PostgreSQL to build against 1.1.

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-05 Thread Victor Wagner
On Fri, 1 Jul 2016 02:27:03 +0200 Andreas Karlsson wrote: > 0003-Remove-OpenSSL-1.1-deprecation-warnings.patch > > Silence all warnings. This commit changes more things and is not > necessary for getting PostgreSQL to build against 1.1. This patch breaks feature, which

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-02 Thread Christoph Berg
Re: Andreas Karlsson 2016-07-02 > On 07/01/2016 11:41 AM, Christoph Berg wrote: > > thanks for the patches. I applied all there patches on top of HEAD > > (10c0558f). The server builds and passes "make check", pgcrypto still > > needs work, though:

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Andreas Karlsson
On 07/02/2016 02:45 AM, Andreas Karlsson wrote: On 07/02/2016 02:28 AM, Alvaro Herrera wrote: Generally, version number tests sprinkled all over the place are not terribly nice. I think it would be better to get configure to define a symbol like HAVE_BIO_METH_NEW. Not sure about the other

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Andreas Karlsson
On 07/02/2016 02:28 AM, Alvaro Herrera wrote: static BIO_METHOD * my_BIO_s_socket(void) { - if (!my_bio_initialized) + if (!my_bio_methods) { - memcpy(_bio_methods, BIO_s_socket(), sizeof(BIO_METHOD)); - my_bio_methods.bread = my_sock_read; -

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Alvaro Herrera
Thanks for this effort. > static BIO_METHOD * > my_BIO_s_socket(void) > { > - if (!my_bio_initialized) > + if (!my_bio_methods) > { > - memcpy(_bio_methods, BIO_s_socket(), sizeof(BIO_METHOD)); > - my_bio_methods.bread = my_sock_read; > -

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Andreas Karlsson
On 07/01/2016 11:41 AM, Christoph Berg wrote: thanks for the patches. I applied all there patches on top of HEAD (10c0558f). The server builds and passes "make check", pgcrypto still needs work, though: Thanks, I had forgotten pgcrypto. When fixing pgcrypto I noticed that the OpenSSL team has

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Christoph Berg
Re: Andreas Karlsson 2016-07-01 <688a438c-ccc2-0431-7100-26e418fc3...@proxel.se> > Hi, > > Here is an initial set of patches related to OpenSSL 1.1. Everything should > still build fine on older OpenSSL versions (and did when I tested with > 1.0.2h). Hi Andreas, thanks for the patches. I

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Magnus Hagander
On Fri, Jul 1, 2016 at 10:10 AM, Michael Paquier wrote: > On Fri, Jul 1, 2016 at 5:02 PM, Magnus Hagander > wrote: > > Debian testing is still on 1.0.2h. > > Debian experimental is on 1.1.0pre5. > > > > Not sure here beta2 enters the discussion,

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Michael Paquier
On Fri, Jul 1, 2016 at 5:02 PM, Magnus Hagander wrote: > Debian testing is still on 1.0.2h. > Debian experimental is on 1.1.0pre5. > > Not sure here beta2 enters the discussion, it's not mentioned anywhere on > their site? Thanks. From the main page of openssl.org, pre5 is

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-07-01 Thread Magnus Hagander
On Fri, Jul 1, 2016 at 4:08 AM, Michael Paquier wrote: > On Fri, Jul 1, 2016 at 9:27 AM, Andreas Karlsson > wrote: > > Hi, > > > > Here is an initial set of patches related to OpenSSL 1.1. Everything > should > > still build fine on older OpenSSL

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-30 Thread Michael Paquier
On Fri, Jul 1, 2016 at 9:27 AM, Andreas Karlsson wrote: > Hi, > > Here is an initial set of patches related to OpenSSL 1.1. Everything should > still build fine on older OpenSSL versions (and did when I tested with > 1.0.2h). > > 0001-Fixes-for-compiling-with-OpenSSL-1.1.patch

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-30 Thread Andreas Karlsson
Hi, Here is an initial set of patches related to OpenSSL 1.1. Everything should still build fine on older OpenSSL versions (and did when I tested with 1.0.2h). 0001-Fixes-for-compiling-with-OpenSSL-1.1.patch This patch fixes the code so it builds with OpenSSL 1.1 (except the CRYPTO_LOCK

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-27 Thread Michael Paquier
On Tue, Jun 28, 2016 at 3:21 AM, Andreas Karlsson wrote: > Yes, we could do that, but I do not think we should check for the existence > of a backwards compatibility macro. Actually I think we may want to skip > much of the OpenSSL initialization code when compiling against

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-27 Thread Andreas Karlsson
On 06/27/2016 08:12 PM, Christoph Berg wrote: Re: Andreas Karlsson 2016-06-27 <8a0a5959-0b83-3dc8-d9e7-66ce8c1c5...@proxel.se> The errors you report make it sound like they broke API compatibility wholesale. Was that really their intent? If so, where are the changes documented? I do not see

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-27 Thread Christoph Berg
Re: Andreas Karlsson 2016-06-27 <8a0a5959-0b83-3dc8-d9e7-66ce8c1c5...@proxel.se> > > The errors you report make it sound like they broke API compatibility > > wholesale. Was that really their intent? If so, where are the changes > > documented? > > I do not see that they have documented the

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-27 Thread Andreas Karlsson
On 06/27/2016 05:24 PM, Tom Lane wrote: Christoph Berg writes: as reported by Debian's OpenSSL maintainers, PostgreSQL is failing to build against a snapshot of the upcoming 1.1.0 version. The errors you report make it sound like they broke API compatibility wholesale. Was

Re: [HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-27 Thread Tom Lane
Christoph Berg writes: > as reported by Debian's OpenSSL maintainers, PostgreSQL is failing to > build against a snapshot of the upcoming 1.1.0 version. The errors you report make it sound like they broke API compatibility wholesale. Was that really their intent? If so, where

[HACKERS] OpenSSL 1.1 breaks configure and more

2016-06-27 Thread Christoph Berg
Hi, as reported by Debian's OpenSSL maintainers, PostgreSQL is failing to build against a snapshot of the upcoming 1.1.0 version. The report was for 9.5.3, but I can reproduce it in HEAD as well: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828510 > OpenSSL 1.1.0 is about to released.