Re: BUG #19335: the function encrypt does not work correct - ERROR: encrypt error: Key was too big
| От | Tom Lane |
|---|---|
| Тема | Re: BUG #19335: the function encrypt does not work correct - ERROR: encrypt error: Key was too big |
| Дата | |
| Msg-id | 505781.1764354561@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: BUG #19335: the function encrypt does not work correct - ERROR: encrypt error: Key was too big (Daniel Gustafsson <daniel@yesql.se>) |
| Ответы |
Re: BUG #19335: the function encrypt does not work correct - ERROR: encrypt error: Key was too big
|
| Список | pgsql-bugs |
Daniel Gustafsson <daniel@yesql.se> writes:
> On 28 Nov 2025, at 11:38, <Marco.Lebahn@kfw.de> <Marco.Lebahn@kfw.de> wrote:
>> It seems that < 16.11 does and not check if I use "bf" from legacy provider
> OpenSSL doesn't support blowfish without the legacy provider loaded. Your
> 16.10 is most likely linked against another version of OpenSSL, or at least
> using another OpenSSL configuration/openssldir.
It seems quite odd that this changed at a minor PG version update.
I wonder if there was an upgrade of the underlying platform at the
same time, or if the new version was built by a different packager.
I confirmed on a fresh Fedora installation (with OpenSSL 3.2.6)
that it works as Daniel described. Blowfish and other old ciphers
don't work with the out-of-the-box OpenSSL configuration, but if
you edit `openssl info -configdir`/openssl.cnf and uncomment the
lines that enable the legacy provider, it will work. (I found
I had to restart the PG server, too --- apparently we only absorb
that configuration at postmaster start. Didn't think to try
"pg_ctl reload"; perhaps that would have been enough.)
Of course the real bottom line here is you should be migrating
away from use of these ciphers. There's a reason they are
deprecated and intentionally made hard-to-reach.
regards, tom lane
В списке pgsql-bugs по дате отправления: