Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version Mixing incorrect bounds in the SSL context leads to confusing error messages generated by OpenSSL which are hard to act on. New range checks are added when both min/max parameters are loaded in the context of a SSL reload to improve the error reporting. Note that this does not make use of the GUC hook machinery contrary to 41aadee, as there is no way to ensure a consistent range check (except if there is a way one day to define range types for GUC parameters?). Hence, this patch applies only to OpenSSL, and uses a logic similar to other parameters to trigger an error when reloading the SSL context in a session.
Author: Michael Paquier Reviewed-by: Daniel Gustafsson Discussion: https://postgr.es/m/[email protected] Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/79dfa8afb296e1b0dcffbe674e04c5f25cc13dfd Modified Files -------------- src/backend/libpq/be-secure-openssl.c | 65 ++++++++++++++++++++++++----------- src/test/ssl/t/001_ssltests.pl | 18 +++++++++- 2 files changed, 62 insertions(+), 21 deletions(-)
