[pgpool-hackers: 2529] Re: Dealing with OpenSSL 1.1

Muhammad Usama m.usama at gmail.com
Mon Sep 11 20:06:59 JST 2017


On Mon, Sep 11, 2017 at 12:05 PM, Tatsuo Ishii <ishii at sraoss.co.jp> wrote:

> I have tested the patch on Fedora 26 box and confirmed it works.
>
> $ openssl version
> OpenSSL 1.1.0f-fips  25 May 2017
>
> $ psql -h localhost -p 11000 test
> psql (9.6.3)
> SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384,
> bits: 256, compression: off)
>
> It also works on Ubuntu 16 box which still uses OpenSSL 1.0.
>
> $ openssl version
> OpenSSL 1.0.2g  1 Mar 2016
>
> $ psql -p 11000 -h localhost test
> psql (9.6.5)
> SSL connection (protocol: TLSv1.2, cipher: AES256-GCM-SHA384, bits: 256,
> compression: off)
>
> Currently the patch is pushed to master, 3.6 stable and 3.5 stable
> branches. For 3.4 and 3.3, it's not straight forward because of the
> watchdog changes.
>
> Usama,
>
> Can you please take care of 3.4 and 3.3 branches?
> (3.2 is not needed because it's EOL).
>

Sure I will do that.

Thanks
Best regards
Muhammad Usama


>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>
> > Hi Ishii-San
> >
> > I don't have the proper setup with openssl 1.1 at the moment so couldn't
> > test the changes.
> > But I have made the required changes as per the changelog of openssl 1.1
> > Can you please check the attached patch if it works.
> >
> > Please note that the patch is generated over your patch.
> >
> >
> > Thanks
> > Best Regards
> > Muhammad Usama
> >
> > On Fri, Jul 28, 2017 at 11:55 AM, Muhammad Usama <m.usama at gmail.com>
> wrote:
> >
> >> Hi Ishii-San,
> >>
> >> Apparently HMAC_CTX_init and HMAC_CTX_cleanup are also removed from new
> >> openssl API. I am looking into the replacements for these functions will
> >> update on this thread.
> >>
> >> Thanks
> >> Best Regards
> >> Muhammad Usama
> >>
> >> On Fri, Jul 28, 2017 at 7:29 AM, Tatsuo Ishii <ishii at sraoss.co.jp>
> wrote:
> >>
> >>> Hi Usama,
> >>>
> >>> While working on $subject, I get compile errors while compiling
> >>> watchdog:
> >>>
> >>> make[2]: Entering directory '/home/t-ishii/src/pgpool2/src/watchdog'
> >>> depbase=`echo wd_utils.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
> >>> gcc -DHAVE_CONFIG_H -I. -I../../src/include  -D_GNU_SOURCE -I
> >>> /usr/include   -g -O2 -Wall -Wmissing-prototypes -Wmissing-declarations
> >>> -fno-strict-aliasing -MT wd_utils.o -MD -MP -MF $depbase.Tpo -c -o
> >>> wd_utils.o wd_utils.c &&\
> >>> mv -f $depbase.Tpo $depbase.Po
> >>> wd_utils.c: In function 'calculate_hmac_sha256':
> >>> wd_utils.c:157:11: error: storage size of 'ctx' isn't known
> >>>   HMAC_CTX ctx;
> >>>            ^~~
> >>> wd_utils.c:158:2: warning: implicit declaration of function
> >>> 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'?
> [-Wimplicit-function-declarati
> >>> on]
> >>>   HMAC_CTX_init(&ctx);
> >>>   ^~~~~~~~~~~~~
> >>>   HMAC_CTX_new
> >>> wd_utils.c:162:2: warning: implicit declaration of function
> >>> 'HMAC_CTX_cleanup'; did you mean 'HMAC_CTX_get_md'?
> >>> [-Wimplicit-function-declaration]
> >>>   HMAC_CTX_cleanup(&ctx);
> >>>   ^~~~~~~~~~~~~~~~
> >>>   HMAC_CTX_get_md
> >>> wd_utils.c:157:11: warning: unused variable 'ctx' [-Wunused-variable]
> >>>   HMAC_CTX ctx;
> >>>            ^~~
> >>> make[2]: *** [Makefile:400: wd_utils.o] Error 1
> >>>
> >>> Any idea how to fix them?
> >>>
> >>> This is Fedora 26. Attached is the patch I'm working on.
> >>>
> >>> Best regards,
> >>> --
> >>> Tatsuo Ishii
> >>> SRA OSS, Inc. Japan
> >>> English: http://www.sraoss.co.jp/index_en.php
> >>> Japanese:http://www.sraoss.co.jp
> >>>
> >>> diff --git a/configure.ac b/configure.ac
> >>> index 38c8611..1b7fb4a 100644
> >>> --- a/configure.ac
> >>> +++ b/configure.ac
> >>> @@ -325,7 +325,7 @@ if test "$with_openssl" = yes || test
> "$with_openssl"
> >>> = auto; then
> >>>          ])
> >>>
> >>>     AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library
> >>> 'crypto' is required for OpenSSL])])
> >>> -   AC_CHECK_LIB(ssl,    SSL_library_init, [], [AC_MSG_ERROR([library
> >>> 'ssl' is required for OpenSSL])])
> >>> +   AC_CHECK_LIB(ssl,    SSL_new, [], [AC_MSG_ERROR([library 'ssl' is
> >>> required for OpenSSL])])
> >>>  fi
> >>>
> >>>  AC_ARG_WITH(pam,
> >>> diff --git a/src/main/main.c b/src/main/main.c
> >>> index 9dd0cc3..f33eec5 100644
> >>> --- a/src/main/main.c
> >>> +++ b/src/main/main.c
> >>> @@ -5,7 +5,7 @@
> >>>   * pgpool: a language independent connection pool server for
> PostgreSQL
> >>>   * written by Tatsuo Ishii
> >>>   *
> >>> - * Copyright (c) 2003-2016     PgPool Global Development Group
> >>> + * Copyright (c) 2003-2017     PgPool Global Development Group
> >>>   *
> >>>   * Permission to use, copy, modify, and distribute this software and
> >>>   * its documentation for any purpose and without fee is hereby
> >>> @@ -185,7 +185,11 @@ int main(int argc, char **argv)
> >>>         }
> >>>  #ifdef USE_SSL
> >>>         /* global ssl init */
> >>> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> >>> +       OPENSSL_init_ssl(0, NULL);
> >>> +#else
> >>>         SSL_library_init();
> >>> +#endif
> >>>         SSL_load_error_strings();
> >>>  #endif /* USE_SSL */
> >>>
> >>>
> >>> _______________________________________________
> >>> pgpool-hackers mailing list
> >>> pgpool-hackers at pgpool.net
> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> >>>
> >>>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20170911/47646a6c/attachment-0001.html>


More information about the pgpool-hackers mailing list