From: | Arthur Zakirov <zaartur(at)gmail(dot)com> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Setting min/max TLS protocol in clientside libpq |
Date: | 2019-12-19 02:11:31 |
Message-ID: | 0a0704fa-db1f-cedf-d0ce-eae30d984105@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hello,
On 2019/12/04 2:37, Daniel Gustafsson wrote:
> The attached patch implements two new connection string variables for minimum
> and maximum TLS protocol version, mimicking how it's done in the backend. This
> does duplicate a bit of code from be-secure-openssl.c to cope with older
> versions of OpenSSL, but it seemed a too trivial duplication to create
> common/openssl.c (but others might disagree).
I've looked at the patch and I have a couple comments.
> + if (ssl_max_ver < ssl_min_ver)
> + {
> + printfPQExpBuffer(&conn->errorMessage,
> + libpq_gettext("invalid maximum SSL version specified, must be higher than minimum SSL version: %s\n"),
> + conn->sslmaxprotocolversion);
> + return -1;
> + }
> +
> + if (ssl_max_ver == -1)
> + {
> + printfPQExpBuffer(&conn->errorMessage,
> + libpq_gettext("invalid maximum SSL version specified: %s\n"),
> + conn->sslmaxprotocolversion);
> + return -1;
> + }
I think we should raise the error "invalid maximum SSL version
specified" earlier. If ssl_protocol_version_to_openssl() returns -1 and
ssl_min_ver is valid we never reach the condition "ssl_max_ver == -1".
Also it might confuse users to get the error "invalid maximum SSL
version specified, must be higher than minimum SSL version" instead of
former one.
Secondly I think the error "invalid maximum SSL version specified"
itself might confuse users, in the case if the input is good but a build
doesn't support desired version. So I think it is better to do two
checks here: check for a correct input and check if a build supports it.
In the second case we may raise "SSL version %s not supported by this
build". It is actually like backend does: guc.c checks for correct input
using ssl_protocol_versions_info and ssl_protocol_version_to_openssl()
checks if a build supports the version.
--
Arthur
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2019-12-19 02:15:26 | Clean up some old cruft related to Windows |
Previous Message | Michael Paquier | 2019-12-19 01:24:43 | Re: [PATCH] Windows port add support to BCryptGenRandom |