[pgpool-hackers: 2527] Re: Dealing with OpenSSL 1.1

Tatsuo Ishii ishii at sraoss.co.jp
Mon Sep 11 16:05:29 JST 2017 

I have tested the patch on Fedora 26 box and confirmed it works.

$ openssl version
OpenSSL 1.1.0f-fips  25 May 2017

$ psql -h localhost -p 11000 test
psql (9.6.3)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)

It also works on Ubuntu 16 box which still uses OpenSSL 1.0.

$ openssl version
OpenSSL 1.0.2g  1 Mar 2016

$ psql -p 11000 -h localhost test
psql (9.6.5)
SSL connection (protocol: TLSv1.2, cipher: AES256-GCM-SHA384, bits: 256, compression: off)

Currently the patch is pushed to master, 3.6 stable and 3.5 stable
branches. For 3.4 and 3.3, it's not straight forward because of the
watchdog changes.

Usama,

Can you please take care of 3.4 and 3.3 branches?
(3.2 is not needed because it's EOL).

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

> Hi Ishii-San
> 
> I don't have the proper setup with openssl 1.1 at the moment so couldn't
> test the changes.
> But I have made the required changes as per the changelog of openssl 1.1
> Can you please check the attached patch if it works.
> 
> Please note that the patch is generated over your patch.
> 
> 
> Thanks
> Best Regards
> Muhammad Usama
> 
> On Fri, Jul 28, 2017 at 11:55 AM, Muhammad Usama <m.usama at gmail.com> wrote:
> 
>> Hi Ishii-San,
>>
>> Apparently HMAC_CTX_init and HMAC_CTX_cleanup are also removed from new
>> openssl API. I am looking into the replacements for these functions will
>> update on this thread.
>>
>> Thanks
>> Best Regards
>> Muhammad Usama
>>
>> On Fri, Jul 28, 2017 at 7:29 AM, Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>>
>>> Hi Usama,
>>>
>>> While working on $subject, I get compile errors while compiling
>>> watchdog:
>>>
>>> make[2]: Entering directory '/home/t-ishii/src/pgpool2/src/watchdog'
>>> depbase=`echo wd_utils.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
>>> gcc -DHAVE_CONFIG_H -I. -I../../src/include  -D_GNU_SOURCE -I
>>> /usr/include   -g -O2 -Wall -Wmissing-prototypes -Wmissing-declarations
>>> -fno-strict-aliasing -MT wd_utils.o -MD -MP -MF $depbase.Tpo -c -o
>>> wd_utils.o wd_utils.c &&\
>>> mv -f $depbase.Tpo $depbase.Po
>>> wd_utils.c: In function 'calculate_hmac_sha256':
>>> wd_utils.c:157:11: error: storage size of 'ctx' isn't known
>>>   HMAC_CTX ctx;
>>>            ^~~
>>> wd_utils.c:158:2: warning: implicit declaration of function
>>> 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'? [-Wimplicit-function-declarati
>>> on]
>>>   HMAC_CTX_init(&ctx);
>>>   ^~~~~~~~~~~~~
>>>   HMAC_CTX_new
>>> wd_utils.c:162:2: warning: implicit declaration of function
>>> 'HMAC_CTX_cleanup'; did you mean 'HMAC_CTX_get_md'?
>>> [-Wimplicit-function-declaration]
>>>   HMAC_CTX_cleanup(&ctx);
>>>   ^~~~~~~~~~~~~~~~
>>>   HMAC_CTX_get_md
>>> wd_utils.c:157:11: warning: unused variable 'ctx' [-Wunused-variable]
>>>   HMAC_CTX ctx;
>>>            ^~~
>>> make[2]: *** [Makefile:400: wd_utils.o] Error 1
>>>
>>> Any idea how to fix them?
>>>
>>> This is Fedora 26. Attached is the patch I'm working on.
>>>
>>> Best regards,
>>> --
>>> Tatsuo Ishii
>>> SRA OSS, Inc. Japan
>>> English: http://www.sraoss.co.jp/index_en.php
>>> Japanese:http://www.sraoss.co.jp
>>>
>>> diff --git a/configure.ac b/configure.ac
>>> index 38c8611..1b7fb4a 100644
>>> --- a/configure.ac
>>> +++ b/configure.ac
>>> @@ -325,7 +325,7 @@ if test "$with_openssl" = yes || test "$with_openssl"
>>> = auto; then
>>>          ])
>>>
>>>     AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library
>>> 'crypto' is required for OpenSSL])])
>>> -   AC_CHECK_LIB(ssl,    SSL_library_init, [], [AC_MSG_ERROR([library
>>> 'ssl' is required for OpenSSL])])
>>> +   AC_CHECK_LIB(ssl,    SSL_new, [], [AC_MSG_ERROR([library 'ssl' is
>>> required for OpenSSL])])
>>>  fi
>>>
>>>  AC_ARG_WITH(pam,
>>> diff --git a/src/main/main.c b/src/main/main.c
>>> index 9dd0cc3..f33eec5 100644
>>> --- a/src/main/main.c
>>> +++ b/src/main/main.c
>>> @@ -5,7 +5,7 @@
>>>   * pgpool: a language independent connection pool server for PostgreSQL
>>>   * written by Tatsuo Ishii
>>>   *
>>> - * Copyright (c) 2003-2016     PgPool Global Development Group
>>> + * Copyright (c) 2003-2017     PgPool Global Development Group
>>>   *
>>>   * Permission to use, copy, modify, and distribute this software and
>>>   * its documentation for any purpose and without fee is hereby
>>> @@ -185,7 +185,11 @@ int main(int argc, char **argv)
>>>         }
>>>  #ifdef USE_SSL
>>>         /* global ssl init */
>>> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
>>> +       OPENSSL_init_ssl(0, NULL);
>>> +#else
>>>         SSL_library_init();
>>> +#endif
>>>         SSL_load_error_strings();
>>>  #endif /* USE_SSL */
>>>
>>>
>>> _______________________________________________
>>> pgpool-hackers mailing list
>>> pgpool-hackers at pgpool.net
>>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>>>
>>>
>>

More information about the pgpool-hackers mailing list