From 40a5206109472b79ad0a9f02e4f88de23a5ec009 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Wed, 6 Feb 2019 15:14:00 +0100 Subject: [PATCH] Set elevel based on isServerStart in TLS version check be_tls_init() should error out with an elevel based on isServerStart in order for the SSL context to be properly cleaned up. Fix the TLS version setup to also consider isServerStart rather than erroring out with ERROR unconditionally. --- src/backend/libpq/be-secure-openssl.c | 37 ++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index a2779543ec..9635abdec7 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -67,7 +67,8 @@ static bool SSL_initialized = false; static bool dummy_ssl_passwd_cb_called = false; static bool ssl_is_server_start; -static int ssl_protocol_version_to_openssl(int v, const char *guc_name); +static int ssl_protocol_version_to_openssl(int v, const char *guc_name, + bool isServerStart); #ifndef SSL_CTX_set_min_proto_version static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); @@ -190,13 +191,24 @@ be_tls_init(bool isServerStart) } if (ssl_min_protocol_version) - SSL_CTX_set_min_proto_version(context, - ssl_protocol_version_to_openssl(ssl_min_protocol_version, - "ssl_min_protocol_version")); + { + int tls_ver = ssl_protocol_version_to_openssl(ssl_min_protocol_version, + "ssl_min_protocol_version", + isServerStart); + if (tls_ver == -1) + goto error; + SSL_CTX_set_min_proto_version(context, tls_ver); + } + if (ssl_max_protocol_version) - SSL_CTX_set_max_proto_version(context, - ssl_protocol_version_to_openssl(ssl_max_protocol_version, - "ssl_max_protocol_version")); + { + int tls_ver = ssl_protocol_version_to_openssl(ssl_max_protocol_version, + "ssl_max_protocol_version", + isServerStart); + if (tls_ver == -1) + goto error; + SSL_CTX_set_max_proto_version(context, tls_ver); + } /* disallow SSL session tickets */ #ifdef SSL_OP_NO_TICKET /* added in OpenSSL 0.9.8f */ @@ -1258,12 +1270,15 @@ X509_NAME_to_cstring(X509_NAME *name) * guc.c independent of OpenSSL availability and version. * * If a version is passed that is not supported by the current OpenSSL - * version, then we throw an error, so that subsequent code can assume it's - * working with a supported version. + * version, then we log with the appropriate elevel given the isServerStart + * parameter, and will error out. Subsequent code can assume it's working + * with a supported version. */ static int -ssl_protocol_version_to_openssl(int v, const char *guc_name) +ssl_protocol_version_to_openssl(int v, const char *guc_name, bool isServerStart) { + int loglevel = isServerStart ? FATAL : LOG; + switch (v) { case PG_TLS_ANY: @@ -1292,7 +1307,7 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name) error: pg_attribute_unused(); - ereport(ERROR, + ereport(loglevel, (errmsg("%s setting %s not supported by this build", guc_name, GetConfigOption(guc_name, false, false)))); -- 2.14.1.145.gb3622a4ee