Rename connection parameters to control min/max SSL protocol version in libpq

The libpq parameters ssl{max|min}protocolversion are renamed to use underscores, to become ssl_{max|min}_protocol_version. The related environment variables still use the names introduced in commit ff8ca5fa that added the feature. Per complaint from Peter Eisentraut (this was also mentioned by me in the original patch review but the issue got discarded). Author: Daniel Gustafsson Reviewed-by: Peter Eisentraut, Michael Paquier Discussion: https://postgr.es/m/b319e449-318d-e691-4997-1327e166fcc4@2ndquadrant.com

Rename connection parameters to control min/max SSL protocol version in libpq
The libpq parameters ssl{max|min}protocolversion are renamed to use underscores, to become ssl_{max|min}_protocol_version. The related environment variables still use the names introduced in commit ff8ca5fa that added the feature. Per complaint from Peter Eisentraut (this was also mentioned by me in the original patch review but the issue got discarded). Author: Daniel Gustafsson Reviewed-by: Peter Eisentraut, Michael Paquier Discussion: https://postgr.es/m/b319e449-318d-e691-4997-1327e166fcc4@2ndquadrant.com
401aad67 · Michael Paquier · 4ad047a6 · 401aad67 · 401aad67 · 401aad67
Commit 401aad67 authored Apr 30, 2020 by Michael Paquier
6 changed files
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -8898,7 +8898,7 @@ DO $d$
    END;
 $d$;
 ERROR:  invalid option "password"
-HINT:  Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, sslminprotocolversion, sslmaxprotocolversion, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size
+HINT:  Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size
 CONTEXT:  SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')"
 PL/pgSQL function inline_code_block line 3 at EXECUTE
 -- If we add a password for our user mapping instead, we should get a different

--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1736,8 +1736,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
      </listitem>
     </varlistentry>

-     <varlistentry id="libpq-connect-sslminprotocolversion" xreflabel="sslminprotocolversion">
-      <term><literal>sslminprotocolversion</literal></term>
+     <varlistentry id="libpq-connect-ssl-min-protocol-version" xreflabel="ssl_min_protocol_version">
+      <term><literal>ssl_min_protocol_version</literal></term>
      <listitem>
       <para>
        This parameter specifies the minimum SSL/TLS protocol version to allow
@@ -1752,8 +1752,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
      </listitem>
     </varlistentry>

-     <varlistentry id="libpq-connect-sslmaxprotocolversion" xreflabel="sslmaxprotocolversion">
-      <term><literal>sslmaxprotocolversion</literal></term>
+     <varlistentry id="libpq-connect-ssl-max-protocol-version" xreflabel="ssl_max_protocol_version">
+      <term><literal>ssl_max_protocol_version</literal></term>
      <listitem>
       <para>
        This parameter specifies the maximum SSL/TLS protocol version to allow
@@ -7164,7 +7164,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
       <primary><envar>PGSSLMINPROTOCOLVERSION</envar></primary>
      </indexterm>
      <envar>PGSSLMINPROTOCOLVERSION</envar> behaves the same as the <xref
-      linkend="libpq-connect-sslminprotocolversion"/> connection parameter.
+      linkend="libpq-connect-ssl-min-protocol-version"/> connection parameter.
     </para>
    </listitem>

@@ -7174,7 +7174,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough)
       <primary><envar>PGSSLMAXPROTOCOLVERSION</envar></primary>
      </indexterm>
      <envar>PGSSLMAXPROTOCOLVERSION</envar> behaves the same as the <xref
-      linkend="libpq-connect-sslminprotocolversion"/> connection parameter.
+      linkend="libpq-connect-ssl-min-protocol-version"/> connection parameter.
     </para>
    </listitem>


--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -320,13 +320,13 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Require-Peer", "", 10,
 	offsetof(struct pg_conn, requirepeer)},

-	{"sslminprotocolversion", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
+	{"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
 		"SSL-Minimum-Protocol-Version", "", 8,	/* sizeof("TLSv1.x") == 8 */
-	offsetof(struct pg_conn, sslminprotocolversion)},
+	offsetof(struct pg_conn, ssl_min_protocol_version)},

-	{"sslmaxprotocolversion", "PGSSLMAXPROTOCOLVERSION", NULL, NULL,
+	{"ssl_max_protocol_version", "PGSSLMAXPROTOCOLVERSION", NULL, NULL,
 		"SSL-Maximum-Protocol-Version", "", 8,	/* sizeof("TLSv1.x") == 8 */
-	offsetof(struct pg_conn, sslmaxprotocolversion)},
+	offsetof(struct pg_conn, ssl_max_protocol_version)},

 	/*
 	 * As with SSL, all GSS options are exposed even in builds that don't have
@@ -1301,23 +1301,23 @@ connectOptions2(PGconn *conn)
 	}

 	/*
-	 * Validate TLS protocol versions for sslminprotocolversion and
-	 * sslmaxprotocolversion.
+	 * Validate TLS protocol versions for ssl_min_protocol_version and
+	 * ssl_max_protocol_version.
 	 */
-	if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
+	if (!sslVerifyProtocolVersion(conn->ssl_min_protocol_version))
 	{
 		conn->status = CONNECTION_BAD;
 		printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
-						  conn->sslminprotocolversion);
+						  libpq_gettext("invalid ssl_min_protocol_version value: \"%s\"\n"),
+						  conn->ssl_min_protocol_version);
 		return false;
 	}
-	if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
+	if (!sslVerifyProtocolVersion(conn->ssl_max_protocol_version))
 	{
 		conn->status = CONNECTION_BAD;
 		printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
-						  conn->sslmaxprotocolversion);
+						  libpq_gettext("invalid ssl_max_protocol_version value: \"%s\"\n"),
+						  conn->ssl_max_protocol_version);
 		return false;
 	}

@@ -1328,8 +1328,8 @@ connectOptions2(PGconn *conn)
 	 * already-built SSL context when the connection is being established, as
 	 * it would be doomed anyway.
 	 */
-	if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
-								conn->sslmaxprotocolversion))
+	if (!sslVerifyProtocolRange(conn->ssl_min_protocol_version,
+								conn->ssl_max_protocol_version))
 	{
 		conn->status = CONNECTION_BAD;
 		printfPQExpBuffer(&conn->errorMessage,
@@ -4046,10 +4046,10 @@ freePGconn(PGconn *conn)
 		free(conn->sslcompression);
 	if (conn->requirepeer)
 		free(conn->requirepeer);
-	if (conn->sslminprotocolversion)
-		free(conn->sslminprotocolversion);
-	if (conn->sslmaxprotocolversion)
-		free(conn->sslmaxprotocolversion);
+	if (conn->ssl_min_protocol_version)
+		free(conn->ssl_min_protocol_version);
+	if (conn->ssl_max_protocol_version)
+		free(conn->ssl_max_protocol_version);
 	if (conn->gssencmode)
 		free(conn->gssencmode);
 	if (conn->krbsrvname)
@@ -7120,7 +7120,7 @@ pgpassfileWarning(PGconn *conn)
 /*
 * Check if the SSL procotol value given in input is valid or not.
 * This is used as a sanity check routine for the connection parameters
- * sslminprotocolversion and sslmaxprotocolversion.
+ * ssl_min_protocol_version and ssl_max_protocol_version.
 */
 static bool
 sslVerifyProtocolVersion(const char *version)

--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -842,18 +842,18 @@ initialize_SSL(PGconn *conn)
 	SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

 	/* Set the minimum and maximum protocol versions if necessary */
-	if (conn->sslminprotocolversion &&
-		strlen(conn->sslminprotocolversion) != 0)
+	if (conn->ssl_min_protocol_version &&
+		strlen(conn->ssl_min_protocol_version) != 0)
 	{
 		int			ssl_min_ver;

-		ssl_min_ver = ssl_protocol_version_to_openssl(conn->sslminprotocolversion);
+		ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version);

 		if (ssl_min_ver == -1)
 		{
 			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
-							  conn->sslminprotocolversion);
+							  conn->ssl_min_protocol_version);
 			SSL_CTX_free(SSL_context);
 			return -1;
 		}
@@ -871,18 +871,18 @@ initialize_SSL(PGconn *conn)
 		}
 	}

-	if (conn->sslmaxprotocolversion &&
-		strlen(conn->sslmaxprotocolversion) != 0)
+	if (conn->ssl_max_protocol_version &&
+		strlen(conn->ssl_max_protocol_version) != 0)
 	{
 		int			ssl_max_ver;

-		ssl_max_ver = ssl_protocol_version_to_openssl(conn->sslmaxprotocolversion);
+		ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version);

 		if (ssl_max_ver == -1)
 		{
 			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
-							  conn->sslmaxprotocolversion);
+							  conn->ssl_max_protocol_version);
 			SSL_CTX_free(SSL_context);
 			return -1;
 		}

--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -367,8 +367,8 @@ struct pg_conn
 	char	   *krbsrvname;		/* Kerberos service name */
 	char	   *gsslib;			/* What GSS library to use ("gssapi" or
 								 * "sspi") */
-	char	   *sslminprotocolversion;	/* minimum TLS protocol version */
-	char	   *sslmaxprotocolversion;	/* maximum TLS protocol version */
+	char	   *ssl_min_protocol_version;	/* minimum TLS protocol version */
+	char	   *ssl_max_protocol_version;	/* maximum TLS protocol version */

 	/* Type of connection to make.  Possible values: any, read-write. */
 	char	   *target_session_attrs;

--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -357,22 +357,22 @@ command_like(
 # Test min/max SSL protocol versions.
 test_connect_ok(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=TLSv1.2 sslmaxprotocolversion=TLSv1.2",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2",
 	"connection success with correct range of TLS protocol versions");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=TLSv1.2 sslmaxprotocolversion=TLSv1.1",
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1",
 	qr/invalid SSL protocol version range/,
 	"connection failure with incorrect range of TLS protocol versions");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=incorrect_tls",
-	qr/invalid sslminprotocolversion value/,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls",
+	qr/invalid ssl_min_protocol_version value/,
 	"connection failure with an incorrect SSL protocol minimum bound");
 test_connect_fails(
 	$common_connstr,
-	"sslrootcert=ssl/root+server_ca.crt sslmode=require sslmaxprotocolversion=incorrect_tls",
-	qr/invalid sslmaxprotocolversion value/,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls",
+	qr/invalid ssl_max_protocol_version value/,
 	"connection failure with an incorrect SSL protocol maximum bound");

 ### Server-side tests.