On 7/13/26 16:16, Daniel Gustafsson wrote:
I've been collecting a few small fixups to the OpenSSL code and figured it was
time to send them over to keep the number of fixes more manageable.

Nice!

* 0001: Remove the use of static variable to not interfere with the future
   multithreading efforts

Looks good!

* 0002: Replace SSLv23_method with TLS_method, it has been an alias to the new
   name since 2015 in OpenSSL

Looks good!

* 0003: Replace deprecated API X509_NAME_get_text_by_NID with the recommended
   alternative X509_NAME_get_index_by_NID + X509_NAME_get_entry.  The API was
   deprecated in OpenSSL 4 and risk getting removed, with the alternatives being
   available in all supported versions.

You should declare entry in the inner scope, not in the function scope.

The comment should maybe also add that entry and peer_cn_asn1 too are OpenSSL owned pointers. Just saying it for peer_cn_internal seems a bit odd to me.

Also this is subjective but I am not personally a fan of MemoryContextAllocZero() + memcpy(). I prefer MemoryContextAlloc() + memcpy() + peer_cn[len] = 0. I feel that explains better what is going on. I have also seen us use strncpy() for this purpose which I guess works too.

* 0004: Fix TLS protocol detection.  We have been using the wrong macro for
   feature test for a long time, replace with the actual feature test macro.
   (There is no protocol downgrade here, it will error out when misconfiguring).

Looks good! That was a funny and easy to make mistake :)

--
Andreas Karlsson
Percona



Reply via email to