Improve errors when setting incorrect bounds for SSL protocols
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Cc: Daniel Gustafsson <daniel@yesql.se>
Date: 2020-01-14T03:54:20Z
Lists: pgsql-hackers
Attachments
- ssl-proto-context-v1.patch (text/x-diff) patch v1
Hi all, (Daniel G. in CC.) As discussed on the thread to be able to set the min/max SSL protocols with libpq, when mixing incorrect bounds the user experience is not that good: https://www.postgresql.org/message-id/9CFA34EE-F670-419D-B92C-CB7943A27573@yesql.se It happens that the error generated with incorrect combinations depends solely on what OpenSSL thinks is fine, and that's the following: psql: error: could not connect to server: SSL error: tlsv1 alert internal error It is hard for users to understand what such an error means and how to act on it. Please note that OpenSSL 1.1.0 has added two routines to be able to get the min/max protocols set in a context, called SSL_CTX_get_min/max_proto_version. Thinking about older versions of OpenSSL I think that it is better to use ssl_protocol_version_to_openssl to do the parsing work. I also found that it is easier to check for compatible versions after setting both bounds in the SSL context, so as there is no need to worry about invalid values depending on the build of OpenSSL used. So attached is a patch to improve the detection of incorrect combinations. Once applied, we get a complain about an incorrect version at server startup (FATAL) or reload (LOG). The patch includes new regression tests. Thoughts? -- Michael
Commits
-
Fix check for conflicting SSL min/max protocol settings
- e30b0b5cfaeb 13.0 landed
-
Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version
- 79dfa8afb296 13.0 landed
-
Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"
- 2f4733993a96 12.2 landed
- 414c2fd1e1c0 13.0 landed
-
Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version
- ac2dcca5dfe6 12.2 landed
- 41aadeeb124e 13.0 landed