> On 30 Nov 2019, at 03:43, Michael Paquier <mich...@paquier.xyz> wrote: > > On Fri, Nov 29, 2019 at 10:30:47AM -0500, Tom Lane wrote: >> What's the impact going to be on buildfarm members with older openssl >> installations? Perhaps "none", if they aren't running the ssl test >> suite, but we should be clear about it. > > The buildfarm logs don't directly report the version of OpenSSL used > as far as I recalled, and a quick lookup shows that..
Not explicitly, but it would be a nice if it did. Since the version depends on the optional FIPS module, running "openssl version" is really the safe option, which in itself is hard since the libraries pointed to with --with-libs aren't guaranteed to have an openssl command installed etc. OpenSSL might also these days be LibreSSL (or potentially even BoringSSL perhaps if someone twists the arm of their installation enough). However, looking at the signatures detected by autoconf we can however get an idea of which version is used. SSL_clear_options and X509_get_signature_nid() first shipped in 1.0.2, while SSL_get_current_compression first shipped in 0.9.8. There are also a set of functions which are new in 1.1.0 (BIO_get_data et.al). This tells us that for example alewife is likely running 1.0.2: checking for SSL_new in -lssl... (cached) yes checking for SSL_clear_options... (cached) no checking for SSL_get_current_compression... (cached) yes checking for X509_get_signature_nid... (cached) yes checking for OPENSSL_init_ssl... (cached) no checking for BIO_get_data... (cached) no checking for BIO_meth_new... (cached) no checking for ASN1_STRING_get0_data... (cached) no (the careful observer notes that the SSL_clear_options() check fails even though it should be in 1.0.2, and thats probably because SSL_clear_options is a macro until 1.1.0 where it becomes a function). gaur however looks like it is running 0.9.8: checking for SSL_new in -lssl... yes checking for SSL_clear_options... no checking for SSL_get_current_compression... yes checking for X509_get_signature_nid... no checking for OPENSSL_init_ssl... no checking for BIO_get_data... no checking for BIO_meth_new... no checking for ASN1_STRING_get0_data... no checking for CRYPTO_lock... yes scorpionfly running OpenBSD 6.6 configures as a LibreSSL on par with what we expect for 1.1.0 (SSL_clear_options again fail here since it's still a macro in LibreSSL): checking for SSL_new in -lssl... (cached) yes checking for SSL_clear_options... (cached) no checking for SSL_get_current_compression... (cached) yes checking for X509_get_signature_nid... (cached) yes checking for OPENSSL_init_ssl... (cached) yes checking for BIO_get_data... (cached) yes checking for BIO_meth_new... (cached) yes checking for ASN1_STRING_get0_data... (cached) yes checking for CRYPTO_lock... (cached) yes Randomly picking animals, and trying to target platforms where older versions could be expected, I didn't see any <= 0.9.7; a small number 0.9.8 and most at 1.0.2 or higher (with the 0.9.8 animals being: gaur, sungazer and prairiedog). This is not an exhaustive list of course, maybe someone with better access to the buildfarm data can do some more clever analysis. cheers ./daniel
