Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3d462f0

Browse files
committed
Fix error handling around ssl_*_protocol_version settings
In case of a reload, we just want to LOG errors instead of FATAL whenprocessing SSL configuration, but the more recent code for thessl_*_protocol_version settings didn't behave like that.Author: Daniel Gustafsson <daniel@yesql.se>Reviewed-by: Michael Paquier <michael@paquier.xyz>
1 parent08d25d7 commit3d462f0

File tree

1 file changed

+24
-11
lines changed

1 file changed

+24
-11
lines changed

‎src/backend/libpq/be-secure-openssl.c

Lines changed: 24 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,8 @@ static bool SSL_initialized = false;
6767
staticbooldummy_ssl_passwd_cb_called= false;
6868
staticboolssl_is_server_start;
6969

70-
staticintssl_protocol_version_to_openssl(intv,constchar*guc_name);
70+
staticintssl_protocol_version_to_openssl(intv,constchar*guc_name,
71+
intloglevel);
7172
#ifndefSSL_CTX_set_min_proto_version
7273
staticintSSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion);
7374
staticintSSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion);
@@ -190,13 +191,24 @@ be_tls_init(bool isServerStart)
190191
}
191192

192193
if (ssl_min_protocol_version)
193-
SSL_CTX_set_min_proto_version(context,
194-
ssl_protocol_version_to_openssl(ssl_min_protocol_version,
195-
"ssl_min_protocol_version"));
194+
{
195+
intssl_ver=ssl_protocol_version_to_openssl(ssl_min_protocol_version,
196+
"ssl_min_protocol_version",
197+
isServerStart ?FATAL :LOG);
198+
if (ssl_ver==-1)
199+
gotoerror;
200+
SSL_CTX_set_min_proto_version(context,ssl_ver);
201+
}
202+
196203
if (ssl_max_protocol_version)
197-
SSL_CTX_set_max_proto_version(context,
198-
ssl_protocol_version_to_openssl(ssl_max_protocol_version,
199-
"ssl_max_protocol_version"));
204+
{
205+
intssl_ver=ssl_protocol_version_to_openssl(ssl_max_protocol_version,
206+
"ssl_max_protocol_version",
207+
isServerStart ?FATAL :LOG);
208+
if (ssl_ver==-1)
209+
gotoerror;
210+
SSL_CTX_set_max_proto_version(context,ssl_ver);
211+
}
200212

201213
/* disallow SSL session tickets */
202214
#ifdefSSL_OP_NO_TICKET/* added in OpenSSL 0.9.8f */
@@ -1258,11 +1270,12 @@ X509_NAME_to_cstring(X509_NAME *name)
12581270
* guc.c independent of OpenSSL availability and version.
12591271
*
12601272
* If a version is passed that is not supported by the current OpenSSL
1261-
* version, then we throw an error, so that subsequent code can assume it's
1262-
* working with a supported version.
1273+
* version, then we log with the given loglevel and return (if we return) -1.
1274+
* If a nonnegative value is returned, subsequent code can assume it's working
1275+
* with a supported version.
12631276
*/
12641277
staticint
1265-
ssl_protocol_version_to_openssl(intv,constchar*guc_name)
1278+
ssl_protocol_version_to_openssl(intv,constchar*guc_name,intloglevel)
12661279
{
12671280
switch (v)
12681281
{
@@ -1292,7 +1305,7 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name)
12921305

12931306
error:
12941307
pg_attribute_unused();
1295-
ereport(ERROR,
1308+
ereport(loglevel,
12961309
(errmsg("%s setting %s not supported by this build",
12971310
guc_name,
12981311
GetConfigOption(guc_name, false, false))));

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp