Обсуждение: pgsql: Fix compilation on OpenSSL 1.0.2 and LibreSSL
Fix compilation on OpenSSL 1.0.2 and LibreSSL SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0. While we're at it, add a link to the related OpenSSL github issue to the comment. Per buildfarm and Tom Lane. Discussion: https://www.postgresql.org/message-id/1452995.1714433552@sss.pgh.pa.us Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/5bcbe9813bf91bcf14ef3a580162f1600dd3d1d4 Modified Files -------------- src/interfaces/libpq/fe-secure-openssl.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-)
> On 30 Apr 2024, at 07:26, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote: > Fix compilation on OpenSSL 1.0.2 and LibreSSL > > SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0. + * https://github.com/openssl/openssl/issues/24300. This is available in + * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL. I'm a bit confused, as far as I can tell this has been in LibreSSL since the OpenBSD 6.9 release. https://github.com/openbsd/src/blob/master/lib/libssl/ssl_tlsext.c#L130 Or am I missing something? -- Daniel Gustafsson
On 02/05/2024 12:09, Daniel Gustafsson wrote: >> On 30 Apr 2024, at 07:26, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote: > >> Fix compilation on OpenSSL 1.0.2 and LibreSSL >> >> SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0. > > + * https://github.com/openssl/openssl/issues/24300. This is available in > + * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL. > > I'm a bit confused, as far as I can tell this has been in LibreSSL since the > OpenBSD 6.9 release. > > https://github.com/openbsd/src/blob/master/lib/libssl/ssl_tlsext.c#L130 > > Or am I missing something? Hmm, I'm not sure how exactly LibreSSL is versioned. But morepork runs OpenBSD 6.9, and it was one of the failing buildfarm members: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=morepork&dt=2024-04-30%2004%3A30%3A28. And I don't see the symbol in a fresh checkout of the portable libressl repository at https://github.com/libressl/portable. -- Heikki Linnakangas Neon (https://neon.tech)
> On 2 May 2024, at 11:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > > On 02/05/2024 12:09, Daniel Gustafsson wrote: >>> On 30 Apr 2024, at 07:26, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote: >>> Fix compilation on OpenSSL 1.0.2 and LibreSSL >>> >>> SSL_AD_NO_APPLICATION_PROTOCOL was introduced in OpenSSL 1.1.0. >> + * https://github.com/openssl/openssl/issues/24300. This is available in >> + * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL. >> I'm a bit confused, as far as I can tell this has been in LibreSSL since the >> OpenBSD 6.9 release. >> https://github.com/openbsd/src/blob/master/lib/libssl/ssl_tlsext.c#L130 >> Or am I missing something? > > Hmm, I'm not sure how exactly LibreSSL is versioned. But morepork runs OpenBSD 6.9, and it was one of the failing buildfarmmembers: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=morepork&dt=2024-04-30%2004%3A30%3A28. Turns out I fat-fingered my grep, it's available starting with OpenBSD 7.0 so the morepork failure makes sense. > And I don't see the symbol in a fresh checkout of the portable libressl repository at https://github.com/libressl/portable. The portable repo only contains the portable parts, did you pull the libssl code with ./autogen? If so you should be able to see it, like below: :~/dev/tls/libressl $ git clone git@github.com:libressl/portable.git :~/dev/tls/libressl $ cd portable/ :~/dev/tls/libressl/portable (master) $ git checkout OPENBSD_7_0 branch 'OPENBSD_7_0' set up to track 'origin/OPENBSD_7_0'. Switched to a new branch 'OPENBSD_7_0' :~/dev/tls/libressl/portable (OPENBSD_7_0) $ ./autogen.sh ... :~/dev/tls/libressl/portable (OPENBSD_7_0) $ cd openbsd/ :~/dev/tls/libressl/portable/openbsd (OPENBSD_7_0) $ git grep SSL_AD_NO_APPLICATION_PROTOCOL src/lib/libssl/ssl.h:#define SSL_AD_NO_APPLICATION_PROTOCOL 120 src/lib/libssl/ssl_tlsext.c: *alert = SSL_AD_NO_APPLICATION_PROTOCOL; This makes targeting 7.0 as the lowest LibreSSL version appealing in my patchset for removing support for old OpenSSL and LibreSSL versions. -- Daniel Gustafsson
On 02/05/2024 13:24, Daniel Gustafsson wrote: >> On 2 May 2024, at 11:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >> And I don't see the symbol in a fresh checkout of the portable libressl repository at https://github.com/libressl/portable. > > The portable repo only contains the portable parts, did you pull the libssl > code with ./autogen? Ah, ok, I did not. If so you should be able to see it, like below: > > :~/dev/tls/libressl $ git clone git@github.com:libressl/portable.git > :~/dev/tls/libressl $ cd portable/ > :~/dev/tls/libressl/portable (master) $ git checkout OPENBSD_7_0 > branch 'OPENBSD_7_0' set up to track 'origin/OPENBSD_7_0'. > Switched to a new branch 'OPENBSD_7_0' > :~/dev/tls/libressl/portable (OPENBSD_7_0) $ ./autogen.sh > ... > :~/dev/tls/libressl/portable (OPENBSD_7_0) $ cd openbsd/ > :~/dev/tls/libressl/portable/openbsd (OPENBSD_7_0) $ git grep SSL_AD_NO_APPLICATION_PROTOCOL > src/lib/libssl/ssl.h:#define SSL_AD_NO_APPLICATION_PROTOCOL 120 > src/lib/libssl/ssl_tlsext.c: *alert = SSL_AD_NO_APPLICATION_PROTOCOL; > > This makes targeting 7.0 as the lowest LibreSSL version appealing in my > patchset for removing support for old OpenSSL and LibreSSL versions. Works for me. Although there's little harm in keeping the "#ifdef SSL_AD_NO_APPLICATION_PROTOCOL" either, if that's the only thing missing from 6.9. -- Heikki Linnakangas Neon (https://neon.tech)
> On 2 May 2024, at 12:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > On 02/05/2024 13:24, Daniel Gustafsson wrote: >> This makes targeting 7.0 as the lowest LibreSSL version appealing in my >> patchset for removing support for old OpenSSL and LibreSSL versions. > > Works for me. Although there's little harm in keeping the "#ifdef SSL_AD_NO_APPLICATION_PROTOCOL" either, if that's theonly thing missing from 6.9. In the meantime I'll apply the below to keep the comment correct and to help future-me when revisiting SSL library support =) - * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL. + * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and + * later. Any objections to that? -- Daniel Gustafsson
On 03/05/2024 11:44, Daniel Gustafsson wrote: >> On 2 May 2024, at 12:30, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >> On 02/05/2024 13:24, Daniel Gustafsson wrote: > >>> This makes targeting 7.0 as the lowest LibreSSL version appealing in my >>> patchset for removing support for old OpenSSL and LibreSSL versions. >> >> Works for me. Although there's little harm in keeping the "#ifdef SSL_AD_NO_APPLICATION_PROTOCOL" either, if that's theonly thing missing from 6.9. > > In the meantime I'll apply the below to keep the comment correct and to help > future-me when revisiting SSL library support =) > > - * OpenSSL 1.1.0 and later, but as of this writing not in LibreSSL. > + * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and > + * later. > > Any objections to that? Sounds good -- Heikki Linnakangas Neon (https://neon.tech)