Re: buildfarm server suddenly not talking to old SSL stacks?

Magnus Hagander <magnus@hagander.net> writes:
> On Tue, Jul 17, 2018 at 8:18 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> The results on dromedary are even more interesting:
>>
>> $ perl -MLWP::Simple -MLWP::Protocol::https -e 'LWP::Simple::getprint("
>> http://buildfarm.postgresql.org/branches_of_interest.txt");'
>> 500 Can't connect to buildfarm.postgresql.org:80 (No route to host) <URL:
>> http://buildfarm.postgresql.org/branches_of_interest.txt>

> Yeah, that part is super weird. Do we know if that worked before? Or has it
> been using https for a while?

It looks like I installed Perl https support on that machine on
2017-01-14, so I'd guess dromedary has been using https since then.

>> I can probably restore these machines to functionality by updating
>> whichever Perl module knows about TLS (anyone know which that is?),
>> so if you want to undo the config change, it's OK by me.  But other
>> owners of ancient buildfarm critters might be less happy about it.

> I think what you'd need is a new version of openssl.

Yeah, I'd just come to that conclusion after researching things a bit
(although it looks like IO::Socket:SSL has some relevant fixes too).

> But it might be hard to get in on all of them. Let's see if we can turn off
> the restriction for a while, and see if the other BF animals also recover.

The bigger issue here is that if we force buildfarm members to run
openssl >= x.y, I'd say that's tantamount to desupporting openssl < x.y.
Are we ready to desupport versions that don't have TLS 1.2?  I think
that might well be reasonable to do in HEAD, but I'm less enthused about
it for the back branches.