On Sun, Sep 11, 2022 at 6:55 AM Sebastien Flaesch
<sebastien.flaesch@4js.com> wrote:
>
> The PostgreSQL doc says that if the application code is initializing OpenSSL, it should tell PostgreSQL libpq client
librarythat OpenSSL initialization is already done:
>
> https://www.postgresql.org/docs/14/libpq-ssl.html#LIBPQ-SSL-INITIALIZE
>
> I was wondering if this is still true with OpenSSL 1.1.0+
>
> The APIs to initialize OpenSSL are OPENSSL_init_ssl() or OPENSSL_init_crypto().
>
> According to the OpenSSL doc, version 1.1.0 initializes itself automatically when calling other APIs ...
>
> https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html
>
> As of version 1.1.0 OpenSSL will automatically allocate all resources that it needs so no explicit initialisation is
required.Similarly it will also automatically deinitialise as required.
>
> So, is a call to PQinitOpenSSL(0, 0) still needed?
>
> I did some test with our application, and I could establish a TLS/SSL connection using server and client
certificates.
>
> What can go wrong in fact?
>
> Can someone give me a hint, so I can prove that we really need to call PQinitOpenSSL(0,0)?
>
> Note: Our application is for now single-threaded.
>
> OpenSSL doc also states:
>
> However, there may be situations when explicit initialisation is desirable or needed, for example when some
nondefaultinitialisation is required.
>
> If our application would requires nondefault initialization, I assume that PostgreSQL openssl usage will implicitly
inheritthe OpenSSL seetings of our application, right?
>
> Can this be an issue for PostgreSQL, or can both just share the same OpenSSL settings/config?
For the OpenSSL side of things, then see
https://wiki.openssl.org/index.php/Library_Initialization .
Jeff