Re: Improve errors when setting incorrect bounds for SSL protocols

From: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
To: Michael Paquier <michael(at)paquier(dot)xyz>, Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Improve errors when setting incorrect bounds for SSL protocols
Date: 2020-01-20 08:11:30
Message-ID: 5342043b-c85f-2fb9-7934-45cf6a64b200@2ndquadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 2020-01-15 03:28, Michael Paquier wrote:
> Good points. And the get routines are not that portable in OpenSSL
> either even if HEAD supports 1.0.1 and newer versions... Attached is
> an updated patch which uses a GUC check for both parameters, and
> provides a hint on top of the original error message. The SSL context
> does not get reloaded if there is an error, so the errors from OpenSSL
> cannot be triggered as far as I checked (after mixing a couple of
> corrent and incorrect combinations manually).

The reason this wasn't done originally is that it is not correct to have
GUC check hooks that refer to other GUC variables, because otherwise you
get inconsistent behavior depending on the order of processing of the
assignments. In this case, I think it would work because you have
symmetric checks for both variables, but in general it is a problematic
strategy.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Kyotaro Horiguchi 2020-01-20 08:24:07 Re: Remove page-read callback from XLogReaderState.
Previous Message Craig Ringer 2020-01-20 08:09:26 Re: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings