diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:19 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-10-24 15:20:19 +0200 |
| commit | 6c66b7443cebf3ff09ea76416a20fb6bb1d32a52 (patch) | |
| tree | 3133dc783cd351b714a7484284014058d2d2b63d /src | |
| parent | f81855171f95c4440d1d9f41bc9e5ac47eafb7a0 (diff) | |
| download | postgresql-6c66b7443cebf3ff09ea76416a20fb6bb1d32a52.tar.gz postgresql-6c66b7443cebf3ff09ea76416a20fb6bb1d32a52.zip | |
Raise the minimum supported OpenSSL version to 1.1.1
Commit a70e01d4306fdbcd retired support for OpenSSL 1.0.2 in order to get
rid of the need for manual initialization of the library. This left our
API usage compatible with 1.1.0 which was defined as the minimum required
version. Also mention that 3.4 is the minimum version required when using
LibreSSL.
An upcoming commit will introduce support for configuring TLSv1.3 cipher
suites which require an API call in OpenSSL 1.1.1 and onwards. In order
to support this setting this commit will set v1.1.1 as the new minimum
required version. The version-specific call for randomness init added
in commit c3333dbc0c0 is removed as it's no longer needed.
Author: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/909A668B-06AD-47D1-B8EB-A164211AAD16@yesql.se
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/pg_config.h.in | 6 | ||||
| -rw-r--r-- | src/port/pg_strong_random.c | 14 |
2 files changed, 7 insertions, 13 deletions
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 427030f31a7..cdd9a6e9355 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -280,9 +280,6 @@ /* Define to 1 if you have the `mkdtemp' function. */ #undef HAVE_MKDTEMP -/* Define to 1 if you have the `OPENSSL_init_ssl' function. */ -#undef HAVE_OPENSSL_INIT_SSL - /* Define to 1 if you have the <ossp/uuid.h> header file. */ #undef HAVE_OSSP_UUID_H @@ -358,6 +355,9 @@ /* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */ #undef HAVE_SSL_CTX_SET_CERT_CB +/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ +#undef HAVE_SSL_CTX_SET_CIPHERSUITES + /* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */ #undef HAVE_SSL_CTX_SET_NUM_TICKETS diff --git a/src/port/pg_strong_random.c b/src/port/pg_strong_random.c index a8efb2b1886..b5f0ea2fdc1 100644 --- a/src/port/pg_strong_random.c +++ b/src/port/pg_strong_random.c @@ -31,7 +31,9 @@ * cryptographically secure, suitable for use e.g. in authentication. * * Before pg_strong_random is called in any process, the generator must first - * be initialized by calling pg_strong_random_init(). + * be initialized by calling pg_strong_random_init(). Initialization is a no- + * op for all supported randomness sources, it is kept to maintain backwards + * compatibility with extensions. * * We rely on system facilities for actually generating the numbers. * We support a number of sources: @@ -50,20 +52,12 @@ #ifdef USE_OPENSSL -#include <openssl/opensslv.h> #include <openssl/rand.h> void pg_strong_random_init(void) { -#if (OPENSSL_VERSION_NUMBER < 0x10101000L) - /* - * Make sure processes do not share OpenSSL randomness state. This is not - * required on LibreSSL and no longer required in OpenSSL 1.1.1 and later - * versions. - */ - RAND_poll(); -#endif + /* No initialization needed */ } bool |