Re: Improve errors when setting incorrect bounds for SSL protocols

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Michael Paquier <michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-02-06T22:30:40Z
Lists: pgsql-hackers
> On 6 Feb 2020, at 20:04, Tom Lane <tgl@sss.pgh.pa.us> wrote:

> I think this should be reverted.  Perhaps there's a way to do it without
> these problems, but we failed to find one in the past.

Or change to the v1 patch in this thread, which avoids the problem by doing it
in the OpenSSL code.  It's a shame to have generic TLS functionality be OpenSSL
specific when everything else TLS has been abstracted, but not working is
clearly a worse option.

cheers ./daniel


Commits

  1. Fix check for conflicting SSL min/max protocol settings

  2. Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version

  3. Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"

  4. Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version