Re: Improve errors when setting incorrect bounds for SSL protocols
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-04-30T07:51:06Z
Lists: pgsql-hackers
> On 30 Apr 2020, at 01:14, Michael Paquier <michael@paquier.xyz> wrote: > > On Wed, Apr 29, 2020 at 01:57:49PM +0200, Daniel Gustafsson wrote: >> Working in the TLS corners of the backend, I found while re-reviewing and >> re-testing for the release that this patch actually was a small, but vital, >> brick shy of a load. The error handling is always invoked due to a set of >> missing braces. Going into the check will cause the context to be freed and >> be_tls_open_server error out. The tests added narrowly escapes it by not >> setting the max version in the final test, but I'm not sure it's worth changing >> that now as not setting a value is an interesting testcase too. Sorry for >> missing that at the time of reviewing. > > Good catch, fixed. We would still have keep around the SSL old > context if both bounds were set. Testing this case would mean one > extra full restart of the server, and I am not sure either if that's > worth the extra cost here. Agreed. I don't think the cost is warranted given the low probability of new errors around here, so I think the commit as it stands is sufficient. Thanks. cheers ./daniel
Commits
-
Fix check for conflicting SSL min/max protocol settings
- e30b0b5cfaeb 13.0 landed
-
Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version
- 79dfa8afb296 13.0 landed
-
Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"
- 2f4733993a96 12.2 landed
- 414c2fd1e1c0 13.0 landed
-
Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version
- ac2dcca5dfe6 12.2 landed
- 41aadeeb124e 13.0 landed