Commit 3d462f08 authored by Peter Eisentraut's avatar Peter Eisentraut

Fix error handling around ssl_*_protocol_version settings

In case of a reload, we just want to LOG errors instead of FATAL when
processing SSL configuration, but the more recent code for the
ssl_*_protocol_version settings didn't behave like that.

Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: default avatarMichael Paquier <michael@paquier.xyz>
parent 08d25d78
...@@ -67,7 +67,8 @@ static bool SSL_initialized = false; ...@@ -67,7 +67,8 @@ static bool SSL_initialized = false;
static bool dummy_ssl_passwd_cb_called = false; static bool dummy_ssl_passwd_cb_called = false;
static bool ssl_is_server_start; static bool ssl_is_server_start;
static int ssl_protocol_version_to_openssl(int v, const char *guc_name); static int ssl_protocol_version_to_openssl(int v, const char *guc_name,
int loglevel);
#ifndef SSL_CTX_set_min_proto_version #ifndef SSL_CTX_set_min_proto_version
static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
...@@ -190,13 +191,24 @@ be_tls_init(bool isServerStart) ...@@ -190,13 +191,24 @@ be_tls_init(bool isServerStart)
} }
if (ssl_min_protocol_version) if (ssl_min_protocol_version)
SSL_CTX_set_min_proto_version(context, {
ssl_protocol_version_to_openssl(ssl_min_protocol_version, int ssl_ver = ssl_protocol_version_to_openssl(ssl_min_protocol_version,
"ssl_min_protocol_version")); "ssl_min_protocol_version",
isServerStart ? FATAL : LOG);
if (ssl_ver == -1)
goto error;
SSL_CTX_set_min_proto_version(context, ssl_ver);
}
if (ssl_max_protocol_version) if (ssl_max_protocol_version)
SSL_CTX_set_max_proto_version(context, {
ssl_protocol_version_to_openssl(ssl_max_protocol_version, int ssl_ver = ssl_protocol_version_to_openssl(ssl_max_protocol_version,
"ssl_max_protocol_version")); "ssl_max_protocol_version",
isServerStart ? FATAL : LOG);
if (ssl_ver == -1)
goto error;
SSL_CTX_set_max_proto_version(context, ssl_ver);
}
/* disallow SSL session tickets */ /* disallow SSL session tickets */
#ifdef SSL_OP_NO_TICKET /* added in OpenSSL 0.9.8f */ #ifdef SSL_OP_NO_TICKET /* added in OpenSSL 0.9.8f */
...@@ -1258,11 +1270,12 @@ X509_NAME_to_cstring(X509_NAME *name) ...@@ -1258,11 +1270,12 @@ X509_NAME_to_cstring(X509_NAME *name)
* guc.c independent of OpenSSL availability and version. * guc.c independent of OpenSSL availability and version.
* *
* If a version is passed that is not supported by the current OpenSSL * If a version is passed that is not supported by the current OpenSSL
* version, then we throw an error, so that subsequent code can assume it's * version, then we log with the given loglevel and return (if we return) -1.
* working with a supported version. * If a nonnegative value is returned, subsequent code can assume it's working
* with a supported version.
*/ */
static int static int
ssl_protocol_version_to_openssl(int v, const char *guc_name) ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
{ {
switch (v) switch (v)
{ {
...@@ -1292,7 +1305,7 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name) ...@@ -1292,7 +1305,7 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name)
error: error:
pg_attribute_unused(); pg_attribute_unused();
ereport(ERROR, ereport(loglevel,
(errmsg("%s setting %s not supported by this build", (errmsg("%s setting %s not supported by this build",
guc_name, guc_name,
GetConfigOption(guc_name, false, false)))); GetConfigOption(guc_name, false, false))));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment