Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitac2dcca

Browse files
committed
Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version
Mixing incorrect bounds set in the SSL context leads to confusing errormessages generated by OpenSSL which are hard to act on. New checks areadded within the GUC machinery to improve the user experience as theyapply to any SSL implementation, not only OpenSSL, and doing the checksbeforehand avoids the creation of a SSL during a reload (or startup)which we know will never be used anyway.Backpatch down to 12, as those parameters have been introduced bye73e67c.Author: Michael PaquierReviewed-by: Daniel GustafssonDiscussion:https://postgr.es/m/20200114035420.GE1515@paquier.xyzBackpatch-through: 12
1 parent2e26460 commitac2dcca

File tree

3 files changed

+69
-4
lines changed

3 files changed

+69
-4
lines changed

‎src/backend/utils/misc/guc.c

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,10 @@ static bool check_cluster_name(char **newval, void **extra, GucSource source);
201201
staticconstchar*show_unix_socket_permissions(void);
202202
staticconstchar*show_log_file_mode(void);
203203
staticconstchar*show_data_directory_mode(void);
204+
staticboolcheck_ssl_min_protocol_version(int*newval,void**extra,
205+
GucSourcesource);
206+
staticboolcheck_ssl_max_protocol_version(int*newval,void**extra,
207+
GucSourcesource);
204208
staticboolcheck_recovery_target_timeline(char**newval,void**extra,GucSourcesource);
205209
staticvoidassign_recovery_target_timeline(constchar*newval,void*extra);
206210
staticboolcheck_recovery_target(char**newval,void**extra,GucSourcesource);
@@ -4522,7 +4526,7 @@ static struct config_enum ConfigureNamesEnum[] =
45224526
&ssl_min_protocol_version,
45234527
PG_TLS1_VERSION,
45244528
ssl_protocol_versions_info+1,/* don't allow PG_TLS_ANY */
4525-
NULL,NULL,NULL
4529+
check_ssl_min_protocol_version,NULL,NULL
45264530
},
45274531

45284532
{
@@ -4534,7 +4538,7 @@ static struct config_enum ConfigureNamesEnum[] =
45344538
&ssl_max_protocol_version,
45354539
PG_TLS_ANY,
45364540
ssl_protocol_versions_info,
4537-
NULL,NULL,NULL
4541+
check_ssl_max_protocol_version,NULL,NULL
45384542
},
45394543

45404544
/* End-of-list marker */
@@ -11462,6 +11466,49 @@ show_data_directory_mode(void)
1146211466
returnbuf;
1146311467
}
1146411468

11469+
staticbool
11470+
check_ssl_min_protocol_version(int*newval,void**extra,GucSourcesource)
11471+
{
11472+
intnew_ssl_min_protocol_version=*newval;
11473+
11474+
/* PG_TLS_ANY is not supported for the minimum bound */
11475+
Assert(new_ssl_min_protocol_version>PG_TLS_ANY);
11476+
11477+
if (ssl_max_protocol_version&&
11478+
new_ssl_min_protocol_version>ssl_max_protocol_version)
11479+
{
11480+
GUC_check_errhint("\"%s\" cannot be higher than \"%s\".",
11481+
"ssl_min_protocol_version",
11482+
"ssl_max_protocol_version");
11483+
GUC_check_errcode(ERRCODE_INVALID_PARAMETER_VALUE);
11484+
return false;
11485+
}
11486+
11487+
return true;
11488+
}
11489+
11490+
staticbool
11491+
check_ssl_max_protocol_version(int*newval,void**extra,GucSourcesource)
11492+
{
11493+
intnew_ssl_max_protocol_version=*newval;
11494+
11495+
/* if PG_TLS_ANY, there is no need to check the bounds */
11496+
if (new_ssl_max_protocol_version==PG_TLS_ANY)
11497+
return true;
11498+
11499+
if (ssl_min_protocol_version&&
11500+
ssl_min_protocol_version>new_ssl_max_protocol_version)
11501+
{
11502+
GUC_check_errhint("\"%s\" cannot be lower than \"%s\".",
11503+
"ssl_max_protocol_version",
11504+
"ssl_min_protocol_version");
11505+
GUC_check_errcode(ERRCODE_INVALID_PARAMETER_VALUE);
11506+
return false;
11507+
}
11508+
11509+
return true;
11510+
}
11511+
1146511512
staticbool
1146611513
check_recovery_target_timeline(char**newval,void**extra,GucSourcesource)
1146711514
{

‎src/test/ssl/t/001_ssltests.pl

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
if ($ENV{with_openssl}eq'yes')
1515
{
16-
plantests=>75;
16+
plantests=>77;
1717
}
1818
else
1919
{
@@ -87,6 +87,24 @@
8787
'restart succeeds with password-protected key file');
8888
$node->_update_pid(1);
8989

90+
# Test compatibility of SSL protocols.
91+
# TLSv1.1 is lower than TLSv1.2, so it won't work.
92+
$node->append_conf(
93+
'postgresql.conf',
94+
qq{ssl_min_protocol_version='TLSv1.2'
95+
ssl_max_protocol_version='TLSv1.1'});
96+
command_fails(
97+
['pg_ctl','-D',$node->data_dir,'-l',$node->logfile,'restart' ],
98+
'restart fails with incorrect SSL protocol bounds');
99+
# Go back to the defaults, this works.
100+
$node->append_conf(
101+
'postgresql.conf',
102+
qq{ssl_min_protocol_version='TLSv1'
103+
ssl_max_protocol_version=''});
104+
command_ok(
105+
['pg_ctl','-D',$node->data_dir,'-l',$node->logfile,'restart' ],
106+
'restart succeeds with correct SSL protocol bounds');
107+
90108
### Run client-side tests.
91109
###
92110
### Test that libpq accepts/rejects the connection correctly, depending

‎src/test/ssl/t/SSLServer.pm

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ sub configure_test_server_for_ssl
128128
print$conf"log_statement=all\n";
129129

130130
# enable SSL and set up server key
131-
print$conf"include 'sslconfig.conf'";
131+
print$conf"include 'sslconfig.conf'\n";
132132

133133
close$conf;
134134

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp