On Sun, Sep 11, 2022 at 6:55 AM Sebastien Flaesch <sebastien.flaesch@xxxxxxx> wrote: > > The PostgreSQL doc says that if the application code is initializing OpenSSL, it should tell PostgreSQL libpq client library that OpenSSL initialization is already done: > > https://www.postgresql.org/docs/14/libpq-ssl.html#LIBPQ-SSL-INITIALIZE > > I was wondering if this is still true with OpenSSL 1.1.0+ > > The APIs to initialize OpenSSL are OPENSSL_init_ssl() or OPENSSL_init_crypto(). > > According to the OpenSSL doc, version 1.1.0 initializes itself automatically when calling other APIs ... > > https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_ssl.html > > As of version 1.1.0 OpenSSL will automatically allocate all resources that it needs so no explicit initialisation is required. Similarly it will also automatically deinitialise as required. > > So, is a call to PQinitOpenSSL(0, 0) still needed? > > I did some test with our application, and I could establish a TLS/SSL connection using server and client certificates. > > What can go wrong in fact? > > Can someone give me a hint, so I can prove that we really need to call PQinitOpenSSL(0,0)? > > Note: Our application is for now single-threaded. > > OpenSSL doc also states: > > However, there may be situations when explicit initialisation is desirable or needed, for example when some nondefault initialisation is required. > > If our application would requires nondefault initialization, I assume that PostgreSQL openssl usage will implicitly inherit the OpenSSL seetings of our application, right? > > Can this be an issue for PostgreSQL, or can both just share the same OpenSSL settings/config? For the OpenSSL side of things, then see https://wiki.openssl.org/index.php/Library_Initialization . Jeff
