El Capitan Removes OpenSSL Headers
Hackers,
Looks like Mac OS X 10.11 El Capitan has remove the OpenSSL header files. They recommend building your own or using native OS X SDKs, like Secure Transport:
http://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.html
I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right? Here are the docs:
If it’s not feasible, those of use who need SSL connections on OS X will just have to build OpenSSL ourselves (or install from Homebrew or MacPorts).
David
Attachments:
smime.p7sapplication/pkcs7-signature; name=smime.p7sDownload
0� *�H��
��0�1
0 +�0� *�H��
����
i0�-0��Q�0
*�H��
�0��1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
150909050437Z
160909073817Z0F1
0
U
david@justatheory.com1$0" *�H��
david@justatheory.com0�"0
*�H��
���0�
���zg�
��P����������:�BV��h/�a�UcTD��L������V�9
��&��2��O*@@�g�
���E�����!�Ta��G���
��R�B�����RI �\
g��K��.
7���������8��,dr��B��}���F��)�y��n��3
8�]$D) ��g �'
Hz�"�������`EVl�{
<���q�h��A
�-���=��:�m���nlxsN~�
����jo���s�FV������1IB8p�1����0��0 U
0�0
U
�0
U
%0++0
U
���D�!���<�rV6
���0 U
#0�Sr������\|~�5N���Q�0 U
0�david@justatheory.com0�LU
�C0�?0�;
+��70�*0.+"http://www.startssl.com/policy.pdf0��+0��0' StartCom Certification Authority0��This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U
/0-0+�)�'�%http://crl.startssl.com/crtu1-crl.crl0��+��009+0�-http://ocsp.startssl.com/sub/class1/client/ca0B+0�6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U
0�http://www.startssl.com/0
*�H��
���r��������.��;�-a���������
��L
��O�
�
4���}��F�,^��Y�,�'�d���7:�LR|��s=�9v|\K ��
C�@�Y����VW�
h Ev����M6� �I�oIJ!y����l_��������
��3������V [�\�n sD����|�~u����P ��Tn� C��_V!�{A�>��;g���^��,�a�d�X�T��vlO7��L��S>���N*i]m���R�tn����/k0�40�
�
0
*�H��
�0}1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z0��1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0�"0
*�H��
���0�
��� ���-��)�.����2����A�UG��o���#G�
��B|N�D�����Rp�M-��B��=o���
-�we�5��J�Qpa>O��.�#������.���_�<���V��
[~�*��*�p�z��~�3�W�G��.�������Ml�r[�<C�e�6���f����q������O���"��u��xf�WN�#�u����i���c�gk��v$����Lb�%�������y��`�����_�{`���xK'G�N�������0��0U
�0�0U
�0
U
Sr������\|~�5N���Q�0 U
#0�N
��@[�i�0�4hC�A��0f+Z0X0'+0�http://ocsp.startssl.com/ca0-+0�!http://www.startssl.com/sfsca.crt0[U
T0R0'�%�#�!http://www.startssl.com/sfsca.crl0'�%�#�!http://crl.startssl.com/sfsca.crl0��U
y0w0u
+��70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0
*�H��
���
�}x�,\�c�^�
�#wM�q�}��>UK/��^y��X��y �����f�rMI���B6�1ymQ���������Z���0���&���;�@��#13q����& ����������o� 6�r��_��;�GO>*I�(
7�4����XS1r3��)!����y��6Ko����t��#
_�w�S�r����
�;�B
A�Dp�(f��s�����
�����6%�����.W0J3�:b�C�<�8t X����1�<��C��n�=�����t==�wS���T������~���\�wkB�f�|1���5���zU��P)��(���I��j��VB��!����OfI=b��b�\4�-*em��/��SJm�7���N�����[�]'��@����
D9�Kr>���R��7/����|�o���^I@���'��Pa
$ z��9�a'L�)��(�
�I��}v��c�H]����D����*��W�}
m�>Q����|�C.�(,�l��Q�1�o0�k0��0��1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CAQ�0 +����0 *�H��
1
*�H��
0
*�H��
1
151201184059Z0# *�H��
1�@Og�w�=�F�
�\��-�0�� +�71��0��0��1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CAQ�0��
*�H��
1�����0��1
0 UIL10U
StartCom Ltd.1+0)U
"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CAQ�0
*�H��
����!#k��jm�����6��F��u��� K�xA�?lj
�
�2`�a����h���
uawh|���0?�x�����YZ3T�����t���������
���M�Nj���qf����/�B�d��^IuT1��e��:~��z�
�|1�l*0�.�N���o�#�)�Z��J��K��g�� h�D7AA��iI�&��X�3!W\���sL��D�
q:�6���R�����~��L��.�h��O1
�Z������������
"David E. Wheeler" <david@justatheory.com> writes:
Looks like Mac OS X 10.11 El Capitan has remove the OpenSSL header files. They recommend building your own or using native OS X SDKs, like Secure Transport:
http://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.html
That's annoying.
I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right?
This is going to put a bit more urgency into the project Heikki had been
working on to allow use of more than one SSL implementation. I can't
really see us back-porting that, though, which is going to leave things
in a fairly nasty place for all pre-9.6 branches ...
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
"David E. Wheeler" <david@justatheory.com> writes:
Looks like Mac OS X 10.11 El Capitan has remove the OpenSSL header files. They recommend building your own or using native OS X SDKs, like Secure Transport:
http://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.htmlThat's annoying.
I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right?
This is going to put a bit more urgency into the project Heikki had been
working on to allow use of more than one SSL implementation. I can't
really see us back-porting that, though, which is going to leave things
in a fairly nasty place for all pre-9.6 branches ...
I think it'd be great to finish that project, but having to use
MacPorts to install the headers isn't really a big deal, is it?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
"David E. Wheeler" <david@justatheory.com> writes:
I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right?
This is going to put a bit more urgency into the project Heikki had been
working on to allow use of more than one SSL implementation. I can't
really see us back-porting that, though, which is going to leave things
in a fairly nasty place for all pre-9.6 branches ...
I think it'd be great to finish that project, but having to use
MacPorts to install the headers isn't really a big deal, is it?
Well, you'd have to use MacPorts' version of the openssl libraries,
too, since there'd be no certainty that their headers match the
Apple-provided libraries (in fact, I'd bet a lot that they don't).
This would be a pain if you wanted to put your compiled PG executables
on some other Mac.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Tue, Dec 1, 2015 at 9:14 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Robert Haas <robertmhaas@gmail.com> writes:
On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
"David E. Wheeler" <david@justatheory.com> writes:
I don’t suppose anyone has looked at what it would take to get
PostgreSQL use Secure Transport, right?
This is going to put a bit more urgency into the project Heikki had been
working on to allow use of more than one SSL implementation. I can't
really see us back-porting that, though, which is going to leave things
in a fairly nasty place for all pre-9.6 branches ...I think it'd be great to finish that project, but having to use
MacPorts to install the headers isn't really a big deal, is it?Well, you'd have to use MacPorts' version of the openssl libraries,
too, since there'd be no certainty that their headers match the
Apple-provided libraries (in fact, I'd bet a lot that they don't).
This would be a pain if you wanted to put your compiled PG executables
on some other Mac.
Presumably the folks who build Postgres.app and the EDB installers will
take care of that for the big majority of people though, won't they?
I agree it's something we should fix, but I'm not sure it's that urgent.
It's no different from what Windows people have been dealing with all
along, is it? And while it affects pg developers, I doubt it'll hit that
many users?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
On Tue, Dec 1, 2015 at 3:14 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Robert Haas <robertmhaas@gmail.com> writes:
On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
"David E. Wheeler" <david@justatheory.com> writes:
I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right?
This is going to put a bit more urgency into the project Heikki had been
working on to allow use of more than one SSL implementation. I can't
really see us back-porting that, though, which is going to leave things
in a fairly nasty place for all pre-9.6 branches ...I think it'd be great to finish that project, but having to use
MacPorts to install the headers isn't really a big deal, is it?Well, you'd have to use MacPorts' version of the openssl libraries,
too, since there'd be no certainty that their headers match the
Apple-provided libraries (in fact, I'd bet a lot that they don't).
This would be a pain if you wanted to put your compiled PG executables
on some other Mac.
Yeah, I guess it means that people building for MacOS X will probably
have to ship OpenSSL as a dependency, which also means that they will
need to update it when new versions are released. That is already a
pretty obnoxious disease on Windows, and it's unfortunate to see it
spreading. It would save us a good deal of staff time here at
EnterpriseDB if we didn't have to do new releases of everything on
Windows every time there is an OpenSSL update.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Tue, Dec 1, 2015 at 03:35:39PM -0500, Robert Haas wrote:
Well, you'd have to use MacPorts' version of the openssl libraries,
too, since there'd be no certainty that their headers match the
Apple-provided libraries (in fact, I'd bet a lot that they don't).
This would be a pain if you wanted to put your compiled PG executables
on some other Mac.Yeah, I guess it means that people building for MacOS X will probably
have to ship OpenSSL as a dependency, which also means that they will
need to update it when new versions are released. That is already a
pretty obnoxious disease on Windows, and it's unfortunate to see it
spreading. It would save us a good deal of staff time here at
EnterpriseDB if we didn't have to do new releases of everything on
Windows every time there is an OpenSSL update.
Do we still have licensing issues if we ship Postgres and OpenSSL
together?
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Roman grave inscription +--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Bruce Momjian wrote:
Do we still have licensing issues if we ship Postgres and OpenSSL
together?
See
/messages/by-id/20150801151410.GA28344@awork2.anarazel.de
--
�lvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote:
Bruce Momjian wrote:
Do we still have licensing issues if we ship Postgres and OpenSSL
together?See
/messages/by-id/20150801151410.GA28344@awork2.anarazel.de
True, but the current license is unchanged and has the advertising
clause, which I think we have to honor if we ship OpenSSL:
https://www.openssl.org/source/license.html
I assume Windows has to ship OpenSSL with the installer and has to abide
by this, for example. OSX might have to do the same. It might be good
to see what we do for Windows packages.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Roman grave inscription +--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Tue, Dec 1, 2015 at 9:55 PM, Bruce Momjian <bruce@momjian.us> wrote:
On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote:
Bruce Momjian wrote:
Do we still have licensing issues if we ship Postgres and OpenSSL
together?See
/messages/by-id/20150801151410.GA28344@awork2.anarazel.deTrue, but the current license is unchanged and has the advertising
clause, which I think we have to honor if we ship OpenSSL:https://www.openssl.org/source/license.html
I assume Windows has to ship OpenSSL with the installer and has to abide
by this, for example. OSX might have to do the same. It might be good
to see what we do for Windows packages.
We already do it for all our installers - Windows, OSX and Linux. We
have to, otherwise we wouldn't be able to ensure the same binaries
would run on all the different supported versions.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Wed, Dec 2, 2015 at 08:53:07AM +0000, Dave Page wrote:
On Tue, Dec 1, 2015 at 9:55 PM, Bruce Momjian <bruce@momjian.us> wrote:
On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote:
Bruce Momjian wrote:
Do we still have licensing issues if we ship Postgres and OpenSSL
together?See
/messages/by-id/20150801151410.GA28344@awork2.anarazel.deTrue, but the current license is unchanged and has the advertising
clause, which I think we have to honor if we ship OpenSSL:https://www.openssl.org/source/license.html
I assume Windows has to ship OpenSSL with the installer and has to abide
by this, for example. OSX might have to do the same. It might be good
to see what we do for Windows packages.We already do it for all our installers - Windows, OSX and Linux. We
have to, otherwise we wouldn't be able to ensure the same binaries
would run on all the different supported versions.
OK, good. So the Mac installers would have to do the same thing if they
also start shipping OpenSSL too.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Roman grave inscription +--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Wed, Dec 2, 2015 at 1:06 PM, Bruce Momjian <bruce@momjian.us> wrote:
On Wed, Dec 2, 2015 at 08:53:07AM +0000, Dave Page wrote:
On Tue, Dec 1, 2015 at 9:55 PM, Bruce Momjian <bruce@momjian.us> wrote:
On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote:
Bruce Momjian wrote:
Do we still have licensing issues if we ship Postgres and OpenSSL
together?See
/messages/by-id/20150801151410.GA28344@awork2.anarazel.deTrue, but the current license is unchanged and has the advertising
clause, which I think we have to honor if we ship OpenSSL:https://www.openssl.org/source/license.html
I assume Windows has to ship OpenSSL with the installer and has to abide
by this, for example. OSX might have to do the same. It might be good
to see what we do for Windows packages.We already do it for all our installers - Windows, OSX and Linux. We
have to, otherwise we wouldn't be able to ensure the same binaries
would run on all the different supported versions.OK, good. So the Mac installers would have to do the same thing if they
also start shipping OpenSSL too.
OSX == Mac.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers