Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit41aadee

Browse files
committed
Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version
Mixing incorrect bounds set in the SSL context leads to confusing errormessages generated by OpenSSL which are hard to act on. New checks areadded within the GUC machinery to improve the user experience as theyapply to any SSL implementation, not only OpenSSL, and doing the checksbeforehand avoids the creation of a SSL during a reload (or startup)which we know will never be used anyway.Backpatch down to 12, as those parameters have been introduced bye73e67c.Author: Michael PaquierReviewed-by: Daniel GustafssonDiscussion:https://postgr.es/m/20200114035420.GE1515@paquier.xyzBackpatch-through: 12
1 parent4b754d6 commit41aadee

File tree

2 files changed

+68
-3
lines changed

2 files changed

+68
-3
lines changed

‎src/backend/utils/misc/guc.c

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -204,6 +204,10 @@ static const char *show_log_file_mode(void);
204204
staticconstchar*show_data_directory_mode(void);
205205
staticboolcheck_backtrace_functions(char**newval,void**extra,GucSourcesource);
206206
staticvoidassign_backtrace_functions(constchar*newval,void*extra);
207+
staticboolcheck_ssl_min_protocol_version(int*newval,void**extra,
208+
GucSourcesource);
209+
staticboolcheck_ssl_max_protocol_version(int*newval,void**extra,
210+
GucSourcesource);
207211
staticboolcheck_recovery_target_timeline(char**newval,void**extra,GucSourcesource);
208212
staticvoidassign_recovery_target_timeline(constchar*newval,void*extra);
209213
staticboolcheck_recovery_target(char**newval,void**extra,GucSourcesource);
@@ -4594,7 +4598,7 @@ static struct config_enum ConfigureNamesEnum[] =
45944598
&ssl_min_protocol_version,
45954599
PG_TLS1_2_VERSION,
45964600
ssl_protocol_versions_info+1,/* don't allow PG_TLS_ANY */
4597-
NULL,NULL,NULL
4601+
check_ssl_min_protocol_version,NULL,NULL
45984602
},
45994603

46004604
{
@@ -4606,7 +4610,7 @@ static struct config_enum ConfigureNamesEnum[] =
46064610
&ssl_max_protocol_version,
46074611
PG_TLS_ANY,
46084612
ssl_protocol_versions_info,
4609-
NULL,NULL,NULL
4613+
check_ssl_max_protocol_version,NULL,NULL
46104614
},
46114615

46124616
/* End-of-list marker */
@@ -11603,6 +11607,49 @@ assign_backtrace_functions(const char *newval, void *extra)
1160311607
backtrace_symbol_list= (char*)extra;
1160411608
}
1160511609

11610+
staticbool
11611+
check_ssl_min_protocol_version(int*newval,void**extra,GucSourcesource)
11612+
{
11613+
intnew_ssl_min_protocol_version=*newval;
11614+
11615+
/* PG_TLS_ANY is not supported for the minimum bound */
11616+
Assert(new_ssl_min_protocol_version>PG_TLS_ANY);
11617+
11618+
if (ssl_max_protocol_version&&
11619+
new_ssl_min_protocol_version>ssl_max_protocol_version)
11620+
{
11621+
GUC_check_errhint("\"%s\" cannot be higher than \"%s\".",
11622+
"ssl_min_protocol_version",
11623+
"ssl_max_protocol_version");
11624+
GUC_check_errcode(ERRCODE_INVALID_PARAMETER_VALUE);
11625+
return false;
11626+
}
11627+
11628+
return true;
11629+
}
11630+
11631+
staticbool
11632+
check_ssl_max_protocol_version(int*newval,void**extra,GucSourcesource)
11633+
{
11634+
intnew_ssl_max_protocol_version=*newval;
11635+
11636+
/* if PG_TLS_ANY, there is no need to check the bounds */
11637+
if (new_ssl_max_protocol_version==PG_TLS_ANY)
11638+
return true;
11639+
11640+
if (ssl_min_protocol_version&&
11641+
ssl_min_protocol_version>new_ssl_max_protocol_version)
11642+
{
11643+
GUC_check_errhint("\"%s\" cannot be lower than \"%s\".",
11644+
"ssl_max_protocol_version",
11645+
"ssl_min_protocol_version");
11646+
GUC_check_errcode(ERRCODE_INVALID_PARAMETER_VALUE);
11647+
return false;
11648+
}
11649+
11650+
return true;
11651+
}
11652+
1160611653
staticbool
1160711654
check_recovery_target_timeline(char**newval,void**extra,GucSourcesource)
1160811655
{

‎src/test/ssl/t/001_ssltests.pl

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
if ($ENV{with_openssl}eq'yes')
1515
{
16-
plantests=>84;
16+
plantests=>86;
1717
}
1818
else
1919
{
@@ -97,6 +97,24 @@
9797
'restart succeeds with password-protected key file');
9898
$node->_update_pid(1);
9999

100+
# Test compatibility of SSL protocols.
101+
# TLSv1.1 is lower than TLSv1.2, so it won't work.
102+
$node->append_conf(
103+
'postgresql.conf',
104+
qq{ssl_min_protocol_version='TLSv1.2'
105+
ssl_max_protocol_version='TLSv1.1'});
106+
command_fails(
107+
['pg_ctl','-D',$node->data_dir,'-l',$node->logfile,'restart' ],
108+
'restart fails with incorrect SSL protocol bounds');
109+
# Go back to the defaults, this works.
110+
$node->append_conf(
111+
'postgresql.conf',
112+
qq{ssl_min_protocol_version='TLSv1.2'
113+
ssl_max_protocol_version=''});
114+
command_ok(
115+
['pg_ctl','-D',$node->data_dir,'-l',$node->logfile,'restart' ],
116+
'restart succeeds with correct SSL protocol bounds');
117+
100118
### Run client-side tests.
101119
###
102120
### Test that libpq accepts/rejects the connection correctly, depending

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp