PostgreSQL12 and older versions of OpenSSL

Dear hackers,

PostgreSQL 12 documentation states, that minimum required version of
OpenSSL is 0.9.8. However, I was unable to сompile current
PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4).


-fno-strict-aliasing -fwrapv -g -O2 -I../../../src/include  -D_GNU_SOURCE -I/usr/include/libxml2   -c -o
be-secure-openssl.obe-secure-openssl.c 
be-secure-openssl.c: In function ‘SSL_CTX_set_min_proto_version’:
be-secure-openssl.c:1340: error: ‘SSL_OP_NO_TLSv1_1’ undeclared (first use in this function)
be-secure-openssl.c:1340: error: (Each undeclared identifier is reported only once
be-secure-openssl.c:1340: error: for each function it appears in.)
be-secure-openssl.c:1344: error: ‘SSL_OP_NO_TLSv1_2’ undeclared (first use in this function)
be-secure-openssl.c: In function ‘SSL_CTX_set_max_proto_version’:
be-secure-openssl.c:1361: error: ‘SSL_OP_NO_TLSv1_1’ undeclared (first use in this function)
be-secure-openssl.c:1365: error: ‘SSL_OP_NO_TLSv1_2’ undeclared (first use in this function)
make: *** [be-secure-openssl.o] Error 1


Problem is that some code in src/backend/libpq/be-secure-openssl.c
assumes that if preprocessor symbols TLS1_1_VERSION and TLS1_2_VERSION
are defined in the openssl headers, corresponding versions of TLS are
supported by the library.

It is not so. Here is exempt from tls1.h header file from the openssl
0.9.8j

#define TLS1_VERSION                    0x0301
#define TLS1_1_VERSION                  0x0302
#define TLS1_2_VERSION                  0x0303
/* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so
 * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above
 * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert()
 * check that would catch the error if TLS_MAX_VERSION was too low.)
 */
#define TLS_MAX_VERSION                 TLS1_VERSION

Replacing all

#ifdef TLS1_1_VERSION

with

#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION

and analogue for TLS1_2_VERSION fixes the problem.

Really, problem is that symbol SSL_OP_NO_TLSv1_1 (and 1_2 accordingly)
might be undefined even if TLS1_1_VERSION defined.

Replacing

#ifdef TLS1_1_VERSION

with

#ifdef SSL_OP_NO_TLSv1_1

seems to be correct solution for two of three #ifdef TLS1_1_VERSION
statements in be-secure-openssl.c, because this symbol is used inside
#ifdef block.

But there is third (first from start of file) one.
...
                case PG_TLS1_1_VERSION:
#ifdef TLS1_1_VERSION
                        return TLS1_1_VERSION;
#else
                        break;
#endif
...
(line 1290). In this case check for TLS1_1_VERSION <= TLS_MAX_VERSION
seems to be more self-explanatory, than check for somewhat unrelated
symbol SSL_OP_NO_TLSv1_1


--