Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita49fbaa

Browse files
committed
Don't assume that "E" response to NEGOTIATE_SSL_CODE means pre-7.0 server.
These days, such a response is far more likely to signify a server-sideproblem, such as fork failure. Reporting "server does not support SSL"(in sslmode=require) could be quite misleading. But the results couldbe even worse in sslmode=prefer: if the problem was transient and thenext connection attempt succeeds, we'll have silently fallen back toprotocol version 2.0, possibly disabling features the user needs.Hence, it seems best to just eliminate the assumption that backing offto non-SSL/2.0 protocol is the way to recover from an "E" response, andinstead treat the server error the same as we would in non-SSL cases.I tested this change against a pre-7.0 server, and found that therewas a second logic bug in the "prefer" path: the test to decide whetherto make a fallback connection attempt assumed that we must have openedconn->ssl, which in fact does not happen given an "E" response. Afterfixing that, the code does indeed connect successfully to pre-7.0,as long as you didn't set sslmode=require. (If you did, you get"Unsupported frontend protocol", which isn't completely off basegiven the server certainly doesn't support SSL.)Since there seems no reason to believe that pre-7.0 servers exist anymorein the wild, back-patch to all supported branches.
1 parentf44d275 commita49fbaa

File tree

1 file changed

+17
-27
lines changed

1 file changed

+17
-27
lines changed

‎src/interfaces/libpq/fe-connect.c

Lines changed: 17 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -2022,16 +2022,19 @@ PQconnectPoll(PGconn *conn)
20222022
/* should not happen really */
20232023
returnPGRES_POLLING_READING;
20242024
}
2025-
/* mark byte consumed */
2026-
conn->inStart=conn->inCursor;
20272025
if (SSLok=='S')
20282026
{
2027+
/* mark byte consumed */
2028+
conn->inStart=conn->inCursor;
20292029
/* Set up global SSL state if required */
20302030
if (pqsecure_initialize(conn)!=0)
20312031
gotoerror_return;
20322032
}
20332033
elseif (SSLok=='N')
20342034
{
2035+
/* mark byte consumed */
2036+
conn->inStart=conn->inCursor;
2037+
/* OK to do without SSL? */
20352038
if (conn->sslmode[0]=='r'||/* "require" */
20362039
conn->sslmode[0]=='v')/* "verify-ca" or
20372040
* "verify-full" */
@@ -2048,29 +2051,17 @@ PQconnectPoll(PGconn *conn)
20482051
}
20492052
elseif (SSLok=='E')
20502053
{
2051-
/* Received error - probably protocol mismatch */
2052-
if (conn->Pfdebug)
2053-
fprintf(conn->Pfdebug,"received error from server, attempting fallback to pre-7.0\n");
2054-
if (conn->sslmode[0]=='r'||/* "require" */
2055-
conn->sslmode[0]=='v')/* "verify-ca" or
2056-
* "verify-full" */
2057-
{
2058-
/* Require SSL, but server is too old */
2059-
appendPQExpBuffer(&conn->errorMessage,
2060-
libpq_gettext("server does not support SSL, but SSL was required\n"));
2061-
gotoerror_return;
2062-
}
2063-
/* Otherwise, try again without SSL */
2064-
conn->allow_ssl_try= false;
2065-
/* Assume it ain't gonna handle protocol 3, either */
2066-
conn->pversion=PG_PROTOCOL(2,0);
2067-
/* Must drop the old connection */
2068-
closesocket(conn->sock);
2069-
conn->sock=-1;
2070-
conn->status=CONNECTION_NEEDED;
2071-
/* Discard any unread/unsent data */
2072-
conn->inStart=conn->inCursor=conn->inEnd=0;
2073-
conn->outCount=0;
2054+
/*
2055+
* Server failure of some sort, such as failure to
2056+
* fork a backend process. We need to process and
2057+
* report the error message, which might be formatted
2058+
* according to either protocol 2 or protocol 3.
2059+
* Rather than duplicate the code for that, we flip
2060+
* into AWAITING_RESPONSE state and let the code there
2061+
* deal with it. Note we have *not* consumed the "E"
2062+
* byte here.
2063+
*/
2064+
conn->status=CONNECTION_AWAITING_RESPONSE;
20742065
gotokeep_going;
20752066
}
20762067
else
@@ -2305,8 +2296,7 @@ PQconnectPoll(PGconn *conn)
23052296
* then do a non-SSL retry
23062297
*/
23072298
if (conn->sslmode[0]=='p'/* "prefer" */
2308-
&&conn->ssl
2309-
&&conn->allow_ssl_try/* redundant? */
2299+
&&conn->allow_ssl_try
23102300
&& !conn->wait_ssl_try)/* redundant? */
23112301
{
23122302
/* only retry once */

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp