Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version
Michael Paquier <michael@paquier.xyz>
Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version Mixing incorrect bounds in the SSL context leads to confusing error messages generated by OpenSSL which are hard to act on. New range checks are added when both min/max parameters are loaded in the context of a SSL reload to improve the error reporting. Note that this does not make use of the GUC hook machinery contrary to 41aadee, as there is no way to ensure a consistent range check (except if there is a way one day to define range types for GUC parameters?). Hence, this patch applies only to OpenSSL, and uses a logic similar to other parameters to trigger an error when reloading the SSL context in a session. Author: Michael Paquier Reviewed-by: Daniel Gustafsson Discussion: https://postgr.es/m/20200114035420.GE1515@paquier.xyz
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/libpq/be-secure-openssl.c | modified | +45 −20 |
| src/test/ssl/t/001_ssltests.pl | modified | +17 −1 |
Discussion
- Improve errors when setting incorrect bounds for SSL protocols 15 messages · 2020-01-14 → 2020-04-30