Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 10 Sep 2024, at 10:01, Peter Eisentraut wrote: >> And pushed. All BF owners with animals using 1.0.2 have been notified but >> not >> all have been updated (or modified to skip SSL) so there will be some >> failing. > > A small follow-up for this: With the current minimum OpenSSL versio

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 02.09.24 14:26, Daniel Gustafsson wrote: On 2 Sep 2024, at 10:03, Daniel Gustafsson wrote: On 23 Aug 2024, at 01:56, Michael Paquier wrote: On Thu, Aug 22, 2024 at 11:13:15PM +0200, Daniel Gustafsson wrote: On 22 Aug 2024, at 02:31, Michael Paquier wrote: Just do it :) That's my plan

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 2 Sep 2024, at 10:03, Daniel Gustafsson wrote: > >> On 23 Aug 2024, at 01:56, Michael Paquier wrote: >> >> On Thu, Aug 22, 2024 at 11:13:15PM +0200, Daniel Gustafsson wrote: >>> On 22 Aug 2024, at 02:31, Michael Paquier wrote: Just do it :) >>> >>> That's my plan, I wanted to wait a

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 23 Aug 2024, at 01:56, Michael Paquier wrote: > > On Thu, Aug 22, 2024 at 11:13:15PM +0200, Daniel Gustafsson wrote: >> On 22 Aug 2024, at 02:31, Michael Paquier wrote: >>> Just do it :) >> >> That's my plan, I wanted to wait a bit to see if anyone else chimed in with >> concerns. > > Coo

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Thu, Aug 22, 2024 at 11:13:15PM +0200, Daniel Gustafsson wrote: > On 22 Aug 2024, at 02:31, Michael Paquier wrote: >> Just do it :) > > That's my plan, I wanted to wait a bit to see if anyone else chimed in with > concerns. Cool, thanks! -- Michael signature.asc Description: PGP signature

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 22 Aug 2024, at 02:31, Michael Paquier wrote: > > On Wed, Aug 21, 2024 at 10:48:38AM -0400, Joe Conway wrote: >> On 8/21/24 09:01, Peter Eisentraut wrote: >>> Is anything -- other than this inquiry -- preventing this patch set from >>> getting committed? That, and available time. >> The ov

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Aug 21, 2024 at 10:48:38AM -0400, Joe Conway wrote: > On 8/21/24 09:01, Peter Eisentraut wrote: >> Is anything -- other than this inquiry -- preventing this patch set from >> getting committed? > > The overwhelming consensus seemed to be "just do it", so FWIW consider my > reservations wit

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 8/21/24 09:01, Peter Eisentraut wrote: On 07.08.24 15:49, Daniel Gustafsson wrote: On 5 Aug 2024, at 15:36, Joe Conway wrote: It would not shock me to see complaints from others after we rip out support for 1.0.2, but maybe not ¯\_(ツ)_/¯ I think it's highly likely that we will see comp

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 07.08.24 15:49, Daniel Gustafsson wrote: On 5 Aug 2024, at 15:36, Joe Conway wrote: It would not shock me to see complaints from others after we rip out support for 1.0.2, but maybe not ¯\_(ツ)_/¯ I think it's highly likely that we will see complaints for any support we deprecate. OpenS

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On Aug 7, 2024, at 22:49, Daniel Gustafsson wrote: > I think it's highly likely that we will see complaints for any support we > deprecate. OpenSSL 1.0.2 will however still be supported for another 5 years > with v17 (which is ~9years past its EOL date) so I don't feel too bad about > it. I

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 5 Aug 2024, at 15:36, Joe Conway wrote: > It would not shock me to see complaints from others after we rip out support > for 1.0.2, but maybe not ¯\_(ツ)_/¯ I think it's highly likely that we will see complaints for any support we deprecate. OpenSSL 1.0.2 will however still be supported fo

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 8/5/24 09:14, Tom Lane wrote: Joe Conway writes: I know I am way late to this thread, and I have only tried a cursory skim of it given the length, but have we made any kind of announcement (packagers at least?) that we intend to not support Postgres 18 with ssl on RHEL 7.9 and derivatives?

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Joe Conway writes: > I know I am way late to this thread, and I have only tried a cursory > skim of it given the length, but have we made any kind of announcement > (packagers at least?) that we intend to not support Postgres 18 with ssl > on RHEL 7.9 and derivatives? Yes, RHEL 7 just passed EO

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Hi Joe, On Mon, 2024-08-05 at 08:38 -0400, Joe Conway wrote: > I know I am way late to this thread, and I have only tried a cursory > skim of it given the length, but have we made any kind of announcement > (packagers at least?) that we intend to not support Postgres 18 with > ssl on RHEL 7.9 an

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 7/15/24 17:42, Daniel Gustafsson wrote: On 14 Jul 2024, at 14:03, Peter Eisentraut wrote: On 12.07.24 21:42, Daniel Gustafsson wrote: On 11 Jul 2024, at 23:22, Peter Eisentraut wrote: The 0001 patch removes the functions pgtls_init_library() and pgtls_init() but keeps the declarations in l

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 14 Jul 2024, at 14:03, Peter Eisentraut wrote: > > On 12.07.24 21:42, Daniel Gustafsson wrote: >>> On 11 Jul 2024, at 23:22, Peter Eisentraut wrote: >>> The 0001 patch removes the functions pgtls_init_library() and pgtls_init() >>> but keeps the declarations in libpq-int.h. This should be

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 12.07.24 21:42, Daniel Gustafsson wrote: On 11 Jul 2024, at 23:22, Peter Eisentraut wrote: The 0001 patch removes the functions pgtls_init_library() and pgtls_init() but keeps the declarations in libpq-int.h. This should be fixed. Ah, nice catch. Done in the attached rebase. This pat

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 11 Jul 2024, at 23:22, Peter Eisentraut wrote: > The 0001 patch removes the functions pgtls_init_library() and pgtls_init() > but keeps the declarations in libpq-int.h. This should be fixed. Ah, nice catch. Done in the attached rebase. -- Daniel Gustafsson v14-0002-Remove-pg_strong_ra

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 07.05.24 11:36, Daniel Gustafsson wrote: Yeah, that depends on how much version you expect your application to work on. Still it seems to me that there's value in mentioning that if your application does not care about anything older than OpenSSL 1.1.0, like PG 18 assuming that this patch is

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Tue, May 07, 2024 at 12:36:24PM +0200, Daniel Gustafsson wrote: > Fair enough. I've taken a stab at documenting that the functions are > deprecated, while at the same time documenting when and how they can be used > (and be useful). The attached also removes one additional comment in the > tes

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 7 May 2024, at 01:31, Michael Paquier wrote: > > On Fri, May 03, 2024 at 10:39:15AM +0200, Daniel Gustafsson wrote: >> They are no-ops when linking against v18, but writing an extension which >> targets all supported versions of postgres along with their respective >> supported OpenSSL versi

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Fri, May 03, 2024 at 10:39:15AM +0200, Daniel Gustafsson wrote: > They are no-ops when linking against v18, but writing an extension which > targets all supported versions of postgres along with their respective > supported OpenSSL versions make them still required, or am I missing > something?

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 3 May 2024, at 21:21, Tom Lane wrote: > > Peter Eisentraut writes: >> On 03.05.24 10:39, Daniel Gustafsson wrote: >>> They are no-ops when linking against v18, but writing an extension which >>> targets all supported versions of postgres along with their respective >>> supported OpenSSL ver

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Peter Eisentraut writes: > On 03.05.24 10:39, Daniel Gustafsson wrote: >> They are no-ops when linking against v18, but writing an extension which >> targets all supported versions of postgres along with their respective >> supported OpenSSL versions make them still required, or am I missing >> s

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 03.05.24 10:39, Daniel Gustafsson wrote: I would recommend to update the documentation of PQinitSSL and PQinitOpenSSL to tell that these become useless and are deprecated. They are no-ops when linking against v18, but writing an extension which targets all supported versions of postgres alo

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 1 May 2024, at 06:21, Michael Paquier wrote: > My remark was originally about pq_init_crypto_lib that does the > locking initialization, and your new patch a bit more, as of: > > ... > > So +1 to remove all this code after a closer lookup. Thanks for review. > I would > recommend to upd

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Sat, Apr 27, 2024 at 08:33:55PM +0200, Daniel Gustafsson wrote: > > On 27 Apr 2024, at 20:32, Daniel Gustafsson wrote: > > > That's a good point, there is potential for more code removal here. The > > attached 0001 takes a stab at it while it's fresh in mind, I'll revisit > > before > > the

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 27 Apr 2024, at 20:32, Daniel Gustafsson wrote: > That's a good point, there is potential for more code removal here. The > attached 0001 takes a stab at it while it's fresh in mind, I'll revisit before > the July CF to see if there is more that can be done. ..and again with the attachment

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 25 Apr 2024, at 05:49, Michael Paquier wrote: > > On Wed, Apr 24, 2024 at 01:31:12PM +0200, Daniel Gustafsson wrote: >> Done. Attached are the two remaining patches, rebased over HEAD, for >> removing >> support for OpenSSL 1.0.2 in v18. Parking them in the commitfest for now. > > You hav

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 24, 2024 at 01:31:12PM +0200, Daniel Gustafsson wrote: > Done. Attached are the two remaining patches, rebased over HEAD, for removing > support for OpenSSL 1.0.2 in v18. Parking them in the commitfest for now. You have mentioned once upthread the documentation of PQinitOpenSSL():

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 24 Apr 2024, at 00:20, Michael Paquier wrote: > > On Tue, Apr 23, 2024 at 10:08:13PM +0200, Daniel Gustafsson wrote: >> Hearing no objections to this plan (and the posted v10), I'll go ahead with >> 0001, 0003 and 0004 into v17 tomorrow. > > WFM, thanks. Done. Attached are the two remaini

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Tue, Apr 23, 2024 at 10:08:13PM +0200, Daniel Gustafsson wrote: > Hearing no objections to this plan (and the posted v10), I'll go ahead with > 0001, 0003 and 0004 into v17 tomorrow. WFM, thanks. -- Michael signature.asc Description: PGP signature

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 19 Apr 2024, at 10:06, Peter Eisentraut wrote: > > On 19.04.24 07:37, Michael Paquier wrote: >> On Thu, Apr 18, 2024 at 12:53:43PM +0200, Peter Eisentraut wrote: >>> If everything is addressed, I agree that 0001, 0003, and 0004 can go into >>> PG17, the rest later. >> About the PG17 bits, wo

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 19.04.24 07:37, Michael Paquier wrote: On Thu, Apr 18, 2024 at 12:53:43PM +0200, Peter Eisentraut wrote: If everything is addressed, I agree that 0001, 0003, and 0004 can go into PG17, the rest later. About the PG17 bits, would you agree about a backpatch? Or perhaps you disagree? I don'

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 19 Apr 2024, at 07:37, Michael Paquier wrote: > > On Thu, Apr 18, 2024 at 12:53:43PM +0200, Peter Eisentraut wrote: >> If everything is addressed, I agree that 0001, 0003, and 0004 can go into >> PG17, the rest later. > > About the PG17 bits, would you agree about a backpatch? Or perhaps >

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Thu, Apr 18, 2024 at 12:53:43PM +0200, Peter Eisentraut wrote: > If everything is addressed, I agree that 0001, 0003, and 0004 can go into > PG17, the rest later. About the PG17 bits, would you agree about a backpatch? Or perhaps you disagree? -- Michael signature.asc Description: PGP signat

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 18 Apr 2024, at 12:53, Peter Eisentraut wrote: > Review of the latest batch: Thanks for reviewing! > 8 v9-0002-Remove-support-for-OpenSSL-1.0.2.patch > > Ok, but maybe make the punctuation consistent here: Fixed. > * v9-0004-Support-SSL_R_VERSION_TOO_LOW-on-LibreSSL.patch > > Seems ok,

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 16.04.24 10:17, Daniel Gustafsson wrote: I forgot (and didn't check) that we backpatched 01e6f1a842f4, with that in mind I agree that we should backpatch 0003 as well to put LibreSSL on par as much as we can. 0004 is a fix for the LibreSSL support, not adding anything new, so pushing that to

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 16 Apr 2024, at 01:03, Michael Paquier wrote: > > On Mon, Apr 15, 2024 at 11:07:05AM +0200, Daniel Gustafsson wrote: >> On 15 Apr 2024, at 07:04, Michael Paquier wrote: >>> On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote: Is the attached split in line with how you w

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Mon, Apr 15, 2024 at 11:07:05AM +0200, Daniel Gustafsson wrote: > On 15 Apr 2024, at 07:04, Michael Paquier wrote: >> On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote: >>> Is the attached split in line with how you were thinking about it? >> >> If I may, 0001 looks sensible he

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 15 Apr 2024, at 07:04, Michael Paquier wrote: > On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote: >> Is the attached split in line with how you were thinking about it? > > If I may, 0001 looks sensible here. The bits from 0003 and 0004 could > be applied before 0002, as we

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote: >> On 10 Apr 2024, at 09:31, Peter Eisentraut wrote: >> 2. Move to 1.1.1. I understand this has to do with the fork-safety of >> pg_strong_random(), and it's not an API change but a behavior change. Let's >> make this associatio

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 10 Apr 2024, at 09:31, Peter Eisentraut wrote: > I think it might be better to separate this into two steps: Fair enough. > 1. Move to 1.1.0. This is an API update. Change OPENSSL_API_COMPAT, and > remove a bunch of code that no longer needs to be conditional. We could > check for a r

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 10, 2024 at 09:31:16AM +0200, Peter Eisentraut wrote: > I think it might be better to separate this into two steps: > > 1. Move to 1.1.0. This is an API update. Change OPENSSL_API_COMPAT, and > remove a bunch of code that no longer needs to be conditional. We could > check for a rep

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 10, 2024 at 12:31 AM Peter Eisentraut wrote: > * src/backend/libpq/be-secure-openssl.c > > +#include > > This patch doesn't appear to add anything, so why does it need a new > include? This one was mine -- it was an indirect header dependency that was effectively removed in 1.1.0 and

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 06.04.24 19:47, Daniel Gustafsson wrote: In bumping we want to move to 1.1.1 since that's the first version with the rewritten RNG which is fork-safe by design, something PostgreSQL clearly benefits from. I think it might be better to separate this into two steps: 1. Move to 1.1.0. This is

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 8 Apr 2024, at 00:46, Michael Paquier wrote: > > On Sat, Apr 06, 2024 at 07:47:43PM +0200, Daniel Gustafsson wrote: >> My apologies, I thought I did but clearly failed. My point was that this is >> a >> special/corner case where we try to find one of two different libraries (with >> differ

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Sat, Apr 06, 2024 at 07:47:43PM +0200, Daniel Gustafsson wrote: > My apologies, I thought I did but clearly failed. My point was that this is a > special/corner case where we try to find one of two different libraries (with > different ideas about backwards compatability etc) for supporting a s

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 6 Apr 2024, at 16:04, Tom Lane wrote: > Daniel Gustafsson writes: >>> On 6 Apr 2024, at 08:02, Peter Eisentraut wrote: >>> Why do we need to check for the versions at all? We should just check for >>> the functions we need. At least that's always been the normal approach in >>> configu

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Daniel Gustafsson writes: >> On 6 Apr 2024, at 08:02, Peter Eisentraut wrote: >> Why do we need to check for the versions at all? We should just check for >> the functions we need. At least that's always been the normal approach in >> configure. > We could, but finding a stable set of functi

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 6 Apr 2024, at 08:02, Peter Eisentraut wrote: > > On 05.04.24 23:48, Daniel Gustafsson wrote: >> The reason to expand the check is to ensure that we have the version we want >> for both OpenSSL and LibreSSL, and deprecating OpenSSL versions isn't all >> that >> commonly done so having to ch

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 05.04.24 23:48, Daniel Gustafsson wrote: The reason to expand the check is to ensure that we have the version we want for both OpenSSL and LibreSSL, and deprecating OpenSSL versions isn't all that commonly done so having to change the version in the check didn't seem that invasive to me. Why

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Fri, Apr 5, 2024 at 3:32 PM Daniel Gustafsson wrote: > > An autoreconf run on my machine pulls in more changes (getting rid of > > the symbols we no longer check for). > > Ah yes, missed updating before formatting the patch. Done in the attached. The commit subject may still need to be reverte

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 5 Apr 2024, at 22:55, Jacob Champion > wrote: > > On Fri, Apr 5, 2024 at 9:59 AM Daniel Gustafsson wrote: >> Attached is a WIP patch to get more eyes on it, the Meson test for 1.1.1 >> fails >> on Windows in CI which I will investigate next. The attached version fixes the Windows 1.1.1 c

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Fri, Apr 5, 2024 at 2:48 PM Daniel Gustafsson wrote: > But does that actually work? If I change the API_COMPAT to the 1.1.1 version > number and run configure against 1.0.2 it passes just fine. Am I missing some > clever trick here? Similarly, I changed my API_COMPAT to a nonsense 0x9010

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 5 Apr 2024, at 23:26, Peter Eisentraut wrote: > > On 05.04.24 18:59, Daniel Gustafsson wrote: >> Attached is a WIP patch to get more eyes on it, the Meson test for 1.1.1 >> fails >> on Windows in CI which I will investigate next. > > I'm not a fan of the new PGAC_CHECK_OPENSSL. It creates

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 05.04.24 18:59, Daniel Gustafsson wrote: Attached is a WIP patch to get more eyes on it, the Meson test for 1.1.1 fails on Windows in CI which I will investigate next. I'm not a fan of the new PGAC_CHECK_OPENSSL. It creates a second place where the OpenSSL version number has to be updated.

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Fri, Apr 5, 2024 at 9:59 AM Daniel Gustafsson wrote: > Attached is a WIP patch to get more eyes on it, the Meson test for 1.1.1 fails > on Windows in CI which I will investigate next. The changes for SSL_OP_NO_CLIENT_RENEGOTIATION and SSL_R_VERSION_TOO_LOW look good to me. > -Remove s

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 5 Apr 2024, at 18:41, Jacob Champion > wrote: > On Thu, Apr 4, 2024 at 6:37 PM Michael Paquier wrote: >> I would be OK to draw a line to what we test in the buildfarm if it >> comes to that, down to OpenBSD 6.9. > > That would correspond to LibreSSL 3.3 if I'm not mistaken. Any > particul

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 5 Apr 2024, at 03:37, Michael Paquier wrote: > On Thu, Apr 04, 2024 at 11:03:35AM -0700, Jacob Champion wrote: >> v3 does that by putting back checks for symbols that aren't part of >> LibreSSL (tested back to 2.7, which is where the 1.1.x APIs started to >> arrive). > > From where did you

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Thu, Apr 4, 2024 at 6:37 PM Michael Paquier wrote: > From where did you pull the LibreSSL sources? Directly from the > OpenBSD tree? I've been building LibreSSL Portable: https://github.com/libressl/portable > Ah, right. OpenSSL_add_all_algorithms() is documented as having no > effect in 1.

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 2024-04-05 03:37, Michael Paquier wrote: (Adding Mikael Kjellstrom in CC as OpenBSD owner) My 2 OpenBSD animals (morepork OpenBSD 6.9, schnauzer

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

(Adding Mikael Kjellstrom in CC as OpenBSD owner) On Thu, Apr 04, 2024 at 11:03:35AM -0700, Jacob Champion wrote: > v3 does that by putting back checks for symbols that aren't part of > LibreSSL (tested back to 2.7, which is where the 1.1.x APIs started to > arrive). From where did you pull the L

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 3, 2024 at 3:27 PM Daniel Gustafsson wrote: > The patch will also need to be adjusted to work with LibreSSL, but I know > Jacob > was looking into that so ideally we should have something to review before > the weekend. v3 does that by putting back checks for symbols that aren't part

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 4 Apr 2024, at 01:50, Thomas Munro wrote: > That's a shame. But it sounds like the developer burden isn't so > different from 1.1.1 to 3.x, so maybe it's not such a big deal from > our point of view. It isn't as of now since OpenSSL still supply the deprecated API's we use, but there is no

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 4 Apr 2024, at 01:24, Michael Paquier wrote: > > On Wed, Apr 03, 2024 at 01:38:50PM -0400, Tom Lane wrote: >> The discussion we had last year concluded that we were OK with >> dropping 1.0.1 support when RHEL6 goes out of extended support >> (June 2024 per this thread, I didn't check it). S

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 4 Apr 2024, at 00:51, Peter Eisentraut wrote: > > On 30.03.24 22:27, Thomas Munro wrote: >> On Sun, Mar 31, 2024 at 9:59 AM Tom Lane wrote: >>> Thomas Munro writes: I was reminded of this thread by ambient security paranoia. As it stands, we require 1.0.2 (but we very much hope

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Thu, Apr 4, 2024 at 11:51 AM Peter Eisentraut wrote: > On 30.03.24 22:27, Thomas Munro wrote: > > Hmm, OK so it doesn't have 3 available in parallel from base repos. > > But it's also about to reach end of "full support" in 2 months[1], so > > if we applied the policies we discussed in the LLVM

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 03, 2024 at 01:38:50PM -0400, Tom Lane wrote: > The discussion we had last year concluded that we were OK with > dropping 1.0.1 support when RHEL6 goes out of extended support > (June 2024 per this thread, I didn't check it). Seems like we > should have the same policy for RHEL7. Also

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 30.03.24 22:27, Thomas Munro wrote: On Sun, Mar 31, 2024 at 9:59 AM Tom Lane wrote: Thomas Munro writes: I was reminded of this thread by ambient security paranoia. As it stands, we require 1.0.2 (but we very much hope that package maintainers and others in control of builds don't decide

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 4 Apr 2024, at 00:06, Tom Lane wrote: > > Daniel Gustafsson writes: >> On 3 Apr 2024, at 19:38, Tom Lane wrote: >>> Bottom line for me is that pulling 1.0.1 support now is OK, >>> but I think pulling 1.0.2 is premature. > >> Is Red Hat building and and shipping v17 packages for RHEL7 ELS

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 3 Apr 2024, at 21:48, Andrew Dunstan wrote: > On 2024-04-03 We 15:12, Daniel Gustafsson wrote: >> The >> fact that very few animals run the ssl tests is a pet peeve of mine, it would >> be nice if we could get broader coverage there. > > Well, the only reason for that is that the SSL tests

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Daniel Gustafsson writes: > On 3 Apr 2024, at 19:38, Tom Lane wrote: >> Bottom line for me is that pulling 1.0.1 support now is OK, >> but I think pulling 1.0.2 is premature. > Is Red Hat building and and shipping v17 packages for RHEL7 ELS customers? If > not then it seems mostly academical to

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 2024-04-03 We 15:12, Daniel Gustafsson wrote: The fact that very few animals run the ssl tests is a pet peeve of mine, it would be nice if we could get broader coverage there. Well, the only reason for that is that the SSL tests need to be listed in PG_TEST_EXTRA, and the only reason for

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 3 Apr 2024, at 17:29, Tom Lane wrote: > > Jacob Champion writes: >> As far as I can tell, no versions of LibreSSL so far provide >> X509_get_signature_info(), so this patch is probably a bit too >> aggressive. > > Another problem with cutting support is how many buildfarm members > will we

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 3 Apr 2024, at 19:38, Tom Lane wrote: > > Jacob Champion writes: >> The RHEL7-alikes are the biggest set, but that's already discussed >> above. Looks like SUSE 12 goes EOL later this year (October 2024), and >> it ships OpenSSL 1.1.1 as an option. Already-dead distros are Ubuntu >> 16.04 (

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 3, 2024 at 11:13 AM Tom Lane wrote: > wikipedia says that RHEL7 ends ELS as of June 2026 [1]. I may have misunderstood something in here then: https://www.redhat.com/en/blog/announcing-4-years-extended-life-cycle-support-els-red-hat-enterprise-linux-7 > ELS for RHEL 7 is now av

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Jacob Champion writes: > On Wed, Apr 3, 2024 at 10:38 AM Tom Lane wrote: >> Bottom line for me is that pulling 1.0.1 support now is OK, >> but I think pulling 1.0.2 is premature. > Okay, but IIUC, waiting for it to drop out of extended support means > we deal with it for four more years. That se

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 3, 2024 at 10:38 AM Tom Lane wrote: > Also, calling Photon 3 > dead because it went EOL three days ago seems over-hasty. Well, March 1, but either way I thought "dead" for the purposes of this thread meant "you can't build the very latest version of Postgres on it", not "we've forgott

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Jacob Champion writes: > The RHEL7-alikes are the biggest set, but that's already discussed > above. Looks like SUSE 12 goes EOL later this year (October 2024), and > it ships OpenSSL 1.1.1 as an option. Already-dead distros are Ubuntu > 16.04 (April 2021), Photon 2 (January 2023), and Photon 3 (M

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, Apr 3, 2024 at 8:29 AM Tom Lane wrote: > I count 3 machines running 1.0.1, 18 running some flavor > of 1.0.2, and 7 running various LibreSSL versions. I don't know all the tradeoffs with buildfarm wrangling, but IMO all those 1.0.2 installations are the most problematic, so I dug in a bit

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Jacob Champion writes: > As far as I can tell, no versions of LibreSSL so far provide > X509_get_signature_info(), so this patch is probably a bit too > aggressive. Another problem with cutting support is how many buildfarm members will we lose. I scraped recent configure logs and got the attach

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Tue, Apr 2, 2024 at 11:55 AM Daniel Gustafsson wrote: > The attached removes 1.0.2 support (meson build parts untested yet) with a few > small touch ups of related documentation. I haven't yet done the research on > where that leaves LibreSSL since we don't really define anywhere what we > sup

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 2 Apr 2024, at 20:55, Daniel Gustafsson wrote: > The attached removes 1.0.2 support (meson build parts untested yet) And a rebased version which applies over the hmac_openssl.c changes earlier today that I hadn't pulled in. -- Daniel Gustafsson v2-0001-Remove-support-for-OpenSSL-1.0.2-a

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 30 Mar 2024, at 22:27, Thomas Munro wrote: > On Sun, Mar 31, 2024 at 9:59 AM Tom Lane wrote: Thanks a lot for bringing this up again Thomas, 1.0.2 has bitten me so many times and I'd be thrilled to get rid of it. >> I think it's probably true that <=1.0.2 is not in any distro that >> we st

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Sun, Mar 31, 2024 at 9:59 AM Tom Lane wrote: > Thomas Munro writes: > > I was reminded of this thread by ambient security paranoia. As it > > stands, we require 1.0.2 (but we very much hope that package > > maintainers and others in control of builds don't decide to use it). > > Should we ski

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Thomas Munro writes: > I was reminded of this thread by ambient security paranoia. As it > stands, we require 1.0.2 (but we very much hope that package > maintainers and others in control of builds don't decide to use it). > Should we skip 1.1.1 and move to requiring 3 for v17? I'd be kind of sa

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Thu, Sep 7, 2023 at 11:44 PM Daniel Gustafsson wrote: > > On 7 Sep 2023, at 13:30, Thomas Munro wrote: > > I don't like the idea that our *next* release's library version > > horizon is controlled by Red Hat's "ELS" phase. > > Agreed. If we instead fence it by "only non-EOL version" then 1.1.

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Fri, Sep 8, 2023 at 11:48 AM Michael Paquier wrote: > On Thu, Sep 07, 2023 at 01:44:11PM +0200, Daniel Gustafsson wrote: > > Sadly I wouldn't be the least bit surprised if there are 1.0.2 users on > > modern > > operating systems, especially given its LTS status (which OpenSSL hasn't > > even

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Thu, Sep 07, 2023 at 01:44:11PM +0200, Daniel Gustafsson wrote: > Sadly I wouldn't be the least bit surprised if there are 1.0.2 users on modern > operating systems, especially given its LTS status (which OpenSSL hasn't even > capped but sells by "for as long as it remains commercially viable to

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 7 Sep 2023, at 13:30, Thomas Munro wrote: > I don't like the idea that our *next* release's library version > horizon is controlled by Red Hat's "ELS" phase. Agreed. If we instead fence it by "only non-EOL version" then 1.1.1 is also on the chopping block for v17 as it goes EOL in 4 days f

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, May 24, 2023 at 11:03 PM Daniel Gustafsson wrote: > > On 24 May 2023, at 11:52, Michael Paquier wrote: > > On Wed, May 24, 2023 at 11:36:56AM +0200, Daniel Gustafsson wrote: > >> 1.0.2 is also an LTS version available commercially for premium support > >> customers of OpenSSL (1.1.1 will

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Tue, Jul 04, 2023 at 02:15:18PM +0800, Julien Rouhaud wrote: > Thanks, I actually saw that and already took care of removing openssl support > a > couple of hours ago, and also added a new note on the animal to remember when > it was removed. It should come back to green at the next scheduled

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Hi, On Tue, Jul 04, 2023 at 03:03:01PM +0900, Michael Paquier wrote: > On Tue, Jul 04, 2023 at 07:16:47AM +0900, Michael Paquier wrote: > > The second and third animals to fail are skate and snapper, both using > > Debian 7 Wheezy. As far as I know, it was an LTS supported until > > 2018. The ow

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Tue, Jul 04, 2023 at 07:16:47AM +0900, Michael Paquier wrote: > The second and third animals to fail are skate and snapper, both using > Debian 7 Wheezy. As far as I know, it was an LTS supported until > 2018. The owner of both machines is added in CC. I guess that we > this stuff could just

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Tue, Jul 04, 2023 at 06:40:49AM +1200, Thomas Munro wrote: > curculio (OpenBSD 5.9) is failing with "undefined reference to > `X509_get_signature_nid'", but that's OK, Mikael already supplied a > modern OpenBSD system to replace it (schnauzer, which is green) and he > was planning to shut curcul

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Mon, Jul 03, 2023 at 10:23:02PM +0200, Mikael Kjellström wrote: > On 2023-07-03 20:53, Daniel Gustafsson wrote: >>> curculio (OpenBSD 5.9) is failing with "undefined reference to >>> `X509_get_signature_nid'", but that's OK, Mikael already supplied a >>> modern OpenBSD system to replace it >> >

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On 2023-07-03 20:53, Daniel Gustafsson wrote: curculio (OpenBSD 5.9) is failing with "undefined reference to `X509_get_signature_nid'", but that's OK, Mikael already supplied a modern OpenBSD system to replace it Thanks for the report! OpenBSD 5.9 was released in 2016 and is thus well over

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

> On 3 Jul 2023, at 20:40, Thomas Munro wrote: > > On Mon, Jul 3, 2023 at 4:26 PM Michael Paquier wrote: >> I have not gone back to this part yet, though I plan to do so. As we >> are at the beginning of the development cycle, I have applied the >> patch to remove support for 1.0.1 for now on H

Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Mon, Jul 3, 2023 at 4:26 PM Michael Paquier wrote: > I have not gone back to this part yet, though I plan to do so. As we > are at the beginning of the development cycle, I have applied the > patch to remove support for 1.0.1 for now on HEAD. Let's see what the > buildfarm tells. curculio (O

  1   2   >