On 2019-Sep-24, Victor Wagner wrote: > Dear hackers, > > PostgreSQL 12 documentation states, that minimum required version of > OpenSSL is 0.9.8. However, I was unable to сompile current > PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4).
(Nice branch name.) I wonder if we should really continue to support OpenSSL 0.9.8. That branch was abandoned by the OpenSSL dev group in 2015 ... and I wouldn't want to assume that there are no security problems fixed in the meantime. Why shouldn't we drop support for that going forward, raising our minimum required OpenSSL version to be at least something in the 1.0 branch? (I'm not entirely sure about minor version numbers in OpenSSL -- it seems 1.0.2 is still being maintained, but 1.0.0 itself was also abandoned in 2016, as was 1.0.1. As far as I understand they use the alphabetical sequence *after* the three-part version number in the way we use minor number; so 1.0.1u (2016) is the last there, and 1.0.2t is a recent one in the maintained branch. Along the same lines, 0.9.8j was released in Jan 2009. The last in 0.9.8 was 0.9.8zi in December 2015.) Anyway I suppose it's not impossible that third parties are still maintaining their 1.0.0 branch, but I doubt anyone cares for 0.9.8 with Postgres 12 ... particularly since SUSE themselves suggest not to use the packaged OpenSSL for their stuff but rather stick to NSS. That said, in 2014 (!!) SUSE released OpenSSL 1.0.1 separately, for use with SLES 11: https://www.suse.com/c/introducing-the-suse-linux-enterprise-11-security-module/ Who would use the already obsolete SLES 11 (general support ended in March 2019, though extended support ends in 2022) with Postgres 12? That seems insane. All that being said, I don't oppose to this patch, since it seems a quick way to get out of the immediate trouble. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
