6c66b74 - Raise the minimum supported OpenSSL version to 1.1.1

Enhance OpenSSL initialization and certificate date adjustment for compatibility with OpenSSL versions Refactor OpenSSL initialization and certificate date adjustment for improved clarity and consistency Update SSL context creation to use TLS_method for improved security and maintain compatibility with OpenSSL 1.1.0+ Refactor SSL context creation to use TLS_method for OpenSSL 1.1.0+ compatibility Fix preprocessor conditionals for OpenSSL version checks in SSL setup functions
2025-05-14 12:18:34 +00:00 · 2025-05-14 12:18:34 +00:00 · 41f2df8832
parent b8fb6dbf37
commit 41f2df8832
2 changed files with 26 additions and 7 deletions
--- a/src/backend/distributed/metadata/node_metadata.c
+++ b/src/backend/distributed/metadata/node_metadata.c
@ -2970,11 +2970,11 @@ DeleteNodeRow(char *nodeName, int32 nodePort)
 	/* PG 18+ adds a bool “deferrable_ok” parameter */
 	Relation replicaIndex =
 		index_open(RelationGetPrimaryKeyIndex(pgDistNode, false),
-				   RowExclusiveLock);
+				   AccessShareLock);
 #else
 	Relation replicaIndex =
 		index_open(RelationGetPrimaryKeyIndex(pgDistNode),
-				   RowExclusiveLock);
+				   AccessShareLock);
 #endif


--- a/src/backend/distributed/utils/enable_ssl.c
+++ b/src/backend/distributed/utils/enable_ssl.c
@ -239,18 +239,28 @@ CreateCertificatesWhenNeeded()
 	SSL_CTX *sslContext = NULL;

 	/*
-	 * Since postgres might not have initialized ssl at this point we need to initialize
-	 * it our self to be able to create a context. This code is less extensive then
-	 * postgres' initialization but that will happen when postgres reloads its
-	 * configuration with ssl enabled.
+	 * Ensure the OpenSSL library is initialized so we can create our SSL context.
+	 * On OpenSSL ≥ 1.1.0 we call OPENSSL_init_ssl() (which also loads the default
+	 * config), and on older versions we fall back to SSL_library_init().
+	 * PostgreSQL itself will perform its full SSL setup when it reloads
+	 * its configuration with ssl enabled.
 	 */
-#ifdef HAVE_OPENSSL_INIT_SSL
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+
+	/* OpenSSL 1.1.0+ */
 	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
 #else
+
+	/* OpenSSL < 1.1.0 */
 	SSL_library_init();
 #endif

+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+	sslContext = SSL_CTX_new(TLS_method());
+#else
 	sslContext = SSL_CTX_new(SSLv23_method());
+#endif
+
 	if (!sslContext)
 	{
 		ereport(WARNING, (errmsg("unable to create ssl context, please verify ssl "
@ -379,8 +389,17 @@ CreateCertificate(EVP_PKEY *privateKey)
 	 * would fail right after an upgrade. Instead of working until the certificate
 	 * expiration date and then suddenly erroring out.
 	 */
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+
+	/* New mutable accessors (present in 1.1, 3.x). */
+	X509_gmtime_adj(X509_getm_notBefore(certificate), 0);
+	X509_gmtime_adj(X509_getm_notAfter(certificate), 0);
+#else
+
+	/* Legacy functions kept for 1.0.x compatibility. */
 	X509_gmtime_adj(X509_get_notBefore(certificate), 0);
 	X509_gmtime_adj(X509_get_notAfter(certificate), 0);
+#endif

 	/* Set the public key for our certificate */
 	X509_set_pubkey(certificate, privateKey);