Re: Improve errors when setting incorrect bounds for SSL protocols
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
From: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
To: Michael Paquier <michael@paquier.xyz>, Daniel Gustafsson <daniel@yesql.se>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-01-20T08:11:30Z
Lists: pgsql-hackers
On 2020-01-15 03:28, Michael Paquier wrote: > Good points. And the get routines are not that portable in OpenSSL > either even if HEAD supports 1.0.1 and newer versions... Attached is > an updated patch which uses a GUC check for both parameters, and > provides a hint on top of the original error message. The SSL context > does not get reloaded if there is an error, so the errors from OpenSSL > cannot be triggered as far as I checked (after mixing a couple of > corrent and incorrect combinations manually). The reason this wasn't done originally is that it is not correct to have GUC check hooks that refer to other GUC variables, because otherwise you get inconsistent behavior depending on the order of processing of the assignments. In this case, I think it would work because you have symmetric checks for both variables, but in general it is a problematic strategy. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Fix check for conflicting SSL min/max protocol settings
- e30b0b5cfaeb 13.0 landed
-
Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version
- 79dfa8afb296 13.0 landed
-
Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"
- 2f4733993a96 12.2 landed
- 414c2fd1e1c0 13.0 landed
-
Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version
- ac2dcca5dfe6 12.2 landed
- 41aadeeb124e 13.0 landed