Peter Eisentraut <peter.eisentraut@enterprisedb.com> writes:
> Continuing this, we have fixed many issues since. Here is a patch set
> to fix all remaining issues.
On the way to testing this, I discovered that we have a usability
regression with recent OpenSSL releases. The Fedora 35 installation
I used to use for testing FIPS-mode behavior would produce errors like
select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";
- TRUE
-------
- t
-(1 row)
-
+ERROR: could not compute MD5 hash: disabled for FIPS
In the shiny new Fedora 38 installation I just set up for the
same purpose, I'm seeing
select md5('') = 'd41d8cd98f00b204e9800998ecf8427e' AS "TRUE";
- TRUE
-------
- t
-(1 row)
-
+ERROR: could not compute MD5 hash: unsupported
This is less user-friendly; moreover it indicates that we're
going to get different output depending on the vintage of
OpenSSL we're testing against, which is going to be a pain for
expected-file maintenance.
I think we need to make an effort to restore the old output
if possible, although I grant that this may be mostly a whim
of OpenSSL's that we can't do much about.
The F35 installation has openssl 1.1.1q, where F38 has
openssl 3.0.9.
regards, tom lane