On Tue, Sep 24, 2019 at 10:18:59AM +0300, Victor Wagner wrote: > PostgreSQL 12 documentation states, that minimum required version of > OpenSSL is 0.9.8. However, I was unable to сompile current > PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4).
I can reproduce that with REL_12_STABLE and the top of OpenSSL_0_9_8-stable fromx OpenSSL's git. > It is not so. Here is exempt from tls1.h header file from the openssl > 0.9.8j > > #define TLS1_VERSION 0x0301 > #define TLS1_1_VERSION 0x0302 > #define TLS1_2_VERSION 0x0303 > /* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so > * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above > * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert() > * check that would catch the error if TLS_MAX_VERSION was too low.) > */ > #define TLS_MAX_VERSION TLS1_VERSION Indeed, we rely currently on a false assumption that the version is supported if the object is defined. That's clearly wrong. > Replacing all > > #ifdef TLS1_1_VERSION > > with > > #if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION > > and analogue for TLS1_2_VERSION fixes the problem. That sounds like a plan. > Really, problem is that symbol SSL_OP_NO_TLSv1_1 (and 1_2 accordingly) > might be undefined even if TLS1_1_VERSION defined. > > Replacing > > #ifdef TLS1_1_VERSION > > with > > #ifdef SSL_OP_NO_TLSv1_1 Hmm. Wouldn't it be better to check if the maximum version of TLS is supported and if SSL_OP_NO_TLSv1_1 is defined (same for 1.2)? > But there is third (first from start of file) one. > ... > case PG_TLS1_1_VERSION: > #ifdef TLS1_1_VERSION > return TLS1_1_VERSION; > #else > break; > #endif > ... > (line 1290). In this case check for TLS1_1_VERSION <= TLS_MAX_VERSION > seems to be more self-explanatory, than check for somewhat unrelated > symbol SSL_OP_NO_TLSv1_1 That sounds right. Victor, would you like to write a patch? -- Michael
signature.asc
Description: PGP signature
