fi
if test "$with_ssl" = openssl ; then
- # Minimum required OpenSSL version is 1.1.0
+ # Minimum required OpenSSL version is 1.1.1
-$as_echo "#define OPENSSL_API_COMPAT 0x10100000L" >>confdefs.h
+$as_echo "#define OPENSSL_API_COMPAT 0x10101000L" >>confdefs.h
if test "$PORTNAME" != "win32"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
fi
fi
- # Function introduced in OpenSSL 1.0.2, not in LibreSSL.
- for ac_func in SSL_CTX_set_cert_cb
+ # Functions introduced in OpenSSL 1.1.1.
+ for ac_func in SSL_CTX_set_ciphersuites
do :
- ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
-if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
+ ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites"
+if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL_CTX_SET_CERT_CB 1
+#define HAVE_SSL_CTX_SET_CIPHERSUITES 1
_ACEOF
+else
+ as_fn_error $? "OpenSSL version >= 1.1.1 is required for SSL support" "$LINENO" 5
fi
done
- # Functions introduced in OpenSSL 1.1.0. We used to check for
- # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
- # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
- # doesn't have these OpenSSL 1.1.0 functions. So check for individual
- # functions.
- for ac_func in OPENSSL_init_ssl
+ # Function introduced in OpenSSL 1.0.2, not in LibreSSL.
+ for ac_func in SSL_CTX_set_cert_cb
do :
- ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
+ ac_fn_c_check_func "$LINENO" "SSL_CTX_set_cert_cb" "ac_cv_func_SSL_CTX_set_cert_cb"
+if test "x$ac_cv_func_SSL_CTX_set_cert_cb" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_INIT_SSL 1
+#define HAVE_SSL_CTX_SET_CERT_CB 1
_ACEOF
-else
- as_fn_error $? "OpenSSL version >= 1.1.0 is required for SSL support" "$LINENO" 5
fi
done
if test "$with_ssl" = openssl ; then
dnl Order matters!
- # Minimum required OpenSSL version is 1.1.0
- AC_DEFINE(OPENSSL_API_COMPAT, [0x10100000L],
+ # Minimum required OpenSSL version is 1.1.1
+ AC_DEFINE(OPENSSL_API_COMPAT, [0x10101000L],
[Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.])
if test "$PORTNAME" != "win32"; then
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
AC_SEARCH_LIBS(CRYPTO_new_ex_data, [eay32 crypto], [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
AC_SEARCH_LIBS(SSL_new, [ssleay32 ssl], [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
fi
+ # Functions introduced in OpenSSL 1.1.1.
+ AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.1 is required for SSL support])])
# Function introduced in OpenSSL 1.0.2, not in LibreSSL.
AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
- # Functions introduced in OpenSSL 1.1.0. We used to check for
- # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
- # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
- # doesn't have these OpenSSL 1.1.0 functions. So check for individual
- # functions.
- AC_CHECK_FUNCS([OPENSSL_init_ssl], [], [AC_MSG_ERROR([OpenSSL version >= 1.1.0 is required for SSL support])])
# Function introduced in OpenSSL 1.1.1, not in LibreSSL.
AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])
AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])
encrypted client connections. <productname>OpenSSL</productname> is
also required for random number generation on platforms that do not
have <filename>/dev/urandom</filename> (except Windows). The minimum
- required version is 1.1.0.
+ required version is 1.1.1.
+ </para>
+ <para>
+ Additionally, <productname>LibreSSL</productname> is supported using the
+ <productname>OpenSSL</productname> compatibility layer. The minimum
+ required version is 3.4 (from <systemitem class="osname">OpenBSD</systemitem>
+ version 7.0).
</para>
</listitem>
<para>
Build with support for <acronym>SSL</acronym> (encrypted)
connections. The only <replaceable>LIBRARY</replaceable>
- supported is <option>openssl</option>. This requires the
+ supported is <option>openssl</option>, which is used for both
+ <productname>OpenSSL</productname>
+ and <productname>LibreSSL</productname>. This requires the
<productname>OpenSSL</productname> package to be installed.
<filename>configure</filename> will check for the required
header files and libraries to make sure that your
['CRYPTO_new_ex_data', {'required': true}],
['SSL_new', {'required': true}],
- # Functions introduced in OpenSSL 1.1.0. We used to check for
- # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL
- # defines OPENSSL_VERSION_NUMBER to claim version 2.0.0, even though it
- # doesn't have these OpenSSL 1.1.0 functions. So check for individual
- # functions.
- ['OPENSSL_init_ssl', {'required': true}],
+ # Functions introduced in OpenSSL 1.1.1.
+ ['SSL_CTX_set_ciphersuites', {'required': true}],
# Function introduced in OpenSSL 1.0.2, not in LibreSSL.
['SSL_CTX_set_cert_cb'],
if are_openssl_funcs_complete
cdata.set('USE_OPENSSL', 1,
description: 'Define to 1 to build with OpenSSL support. (-Dssl=openssl)')
- cdata.set('OPENSSL_API_COMPAT', '0x10100000L',
+ cdata.set('OPENSSL_API_COMPAT', '0x10101000L',
description: 'Define to the OpenSSL API version in use. This avoids deprecation warnings from newer OpenSSL versions.')
ssl_library = 'openssl'
else
/* Define to 1 if you have the `mkdtemp' function. */
#undef HAVE_MKDTEMP
-/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
-#undef HAVE_OPENSSL_INIT_SSL
-
/* Define to 1 if you have the <ossp/uuid.h> header file. */
#undef HAVE_OSSP_UUID_H
/* Define to 1 if you have the `SSL_CTX_set_cert_cb' function. */
#undef HAVE_SSL_CTX_SET_CERT_CB
+/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
+#undef HAVE_SSL_CTX_SET_CIPHERSUITES
+
/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
#undef HAVE_SSL_CTX_SET_NUM_TICKETS
* cryptographically secure, suitable for use e.g. in authentication.
*
* Before pg_strong_random is called in any process, the generator must first
- * be initialized by calling pg_strong_random_init().
+ * be initialized by calling pg_strong_random_init(). Initialization is a no-
+ * op for all supported randomness sources, it is kept to maintain backwards
+ * compatibility with extensions.
*
* We rely on system facilities for actually generating the numbers.
* We support a number of sources:
#ifdef USE_OPENSSL
-#include <openssl/opensslv.h>
#include <openssl/rand.h>
void
pg_strong_random_init(void)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10101000L)
- /*
- * Make sure processes do not share OpenSSL randomness state. This is not
- * required on LibreSSL and no longer required in OpenSSL 1.1.1 and later
- * versions.
- */
- RAND_poll();
-#endif
+ /* No initialization needed */
}
bool
projects / postgresql.git / commitdiff