| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Add bound checks for ssl_min_protocol_version and ssl_max_protoc |
| Date: | 2020-03-23 02:03:35 |
| Message-ID: | E1jGCRD-0003M2-4s@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version
Mixing incorrect bounds in the SSL context leads to confusing error
messages generated by OpenSSL which are hard to act on. New range
checks are added when both min/max parameters are loaded in the context
of a SSL reload to improve the error reporting. Note that this does not
make use of the GUC hook machinery contrary to 41aadee, as there is no
way to ensure a consistent range check (except if there is a way one day
to define range types for GUC parameters?). Hence, this patch applies
only to OpenSSL, and uses a logic similar to other parameters to trigger
an error when reloading the SSL context in a session.
Author: Michael Paquier
Reviewed-by: Daniel Gustafsson
Discussion: https://postgr.es/m/20200114035420.GE1515@paquier.xyz
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/79dfa8afb296e1b0dcffbe674e04c5f25cc13dfd
Modified Files
--------------
src/backend/libpq/be-secure-openssl.c | 65 ++++++++++++++++++++++++-----------
src/test/ssl/t/001_ssltests.pl | 18 +++++++++-
2 files changed, 62 insertions(+), 21 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2020-03-23 02:47:42 | pgsql: Add object names to partition integrity violations. |
| Previous Message | Noah Misch | 2020-03-22 16:27:01 | pgsql: Revert "Skip WAL for new relfilenodes, under wal_level=minimal." |