Re: Improve errors when setting incorrect bounds for SSL protocols

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Cc: Michael Paquier <michael@paquier.xyz>
Date: 2020-04-29T11:57:49Z
Lists: pgsql-hackers

Attachments

Working in the TLS corners of the backend, I found while re-reviewing and
re-testing for the release that this patch actually was a small, but vital,
brick shy of a load.  The error handling is always invoked due to a set of
missing braces.  Going into the check will cause the context to be freed and
be_tls_open_server error out.  The tests added narrowly escapes it by not
setting the max version in the final test, but I'm not sure it's worth changing
that now as not setting a value is an interesting testcase too.  Sorry for
missing that at the time of reviewing.

cheers ./daniel

Commits

  1. Fix check for conflicting SSL min/max protocol settings

  2. Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version

  3. Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"

  4. Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version