Re: Improve errors when setting incorrect bounds for SSL protocols
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Michael Paquier <michael@paquier.xyz>
Cc: Daniel Gustafsson <daniel@yesql.se>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-02-06T19:04:53Z
Lists: pgsql-hackers
Michael Paquier <michael@paquier.xyz> writes: > On Thu, Jan 16, 2020 at 10:00:52AM +0900, Michael Paquier wrote: >> Thanks for the review. Let's wait a couple of days to see if others >> have objections or more comments about this patch, but I'd like to >> fix the issue and backpatch down to 12 where the parameters have been >> introduced. > And committed. I just happened to look at this patch while working on the release notes. I think this is a bad idea and very probably creates worse problems than it fixes. As we have learned painfully in the past, you can't have GUC check or assign hooks that look at other GUC variables, because that creates order-of-operations problems. If a postgresql.conf update is trying to change both values (hardly an unlikely scenario, for this pair of variables) then the checks are going to be comparing against the old values of the other variables, leading to either incorrect rejections of valid states or incorrect acceptances of invalid states. It's pure accident that the particular cases tested in the regression tests behave sanely. I think this should be reverted. Perhaps there's a way to do it without these problems, but we failed to find one in the past. regards, tom lane
Commits
-
Fix check for conflicting SSL min/max protocol settings
- e30b0b5cfaeb 13.0 landed
-
Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version
- 79dfa8afb296 13.0 landed
-
Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"
- 2f4733993a96 12.2 landed
- 414c2fd1e1c0 13.0 landed
-
Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version
- ac2dcca5dfe6 12.2 landed
- 41aadeeb124e 13.0 landed