> I'm a bit surprised that the .dat
> file processing doesn't error out keys that aren't part of the DSL for
> defining
> GUCs but clearly it doesn't. Fixed.
This also surprised me, I wrote a patch to improve this [1].
I only have a few mostly stylistic comments, otherwise the patch looks good.
+ if (isServerStart)
+ {
+ if (host->ssl_passphrase_cmd && host->ssl_passphrase_cmd[0])
+ {
+ SSL_CTX_set_default_passwd_cb(ctx, ssl_external_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ctx, host->ssl_passphrase_cmd);
+ }
+ }
+ else
+ {
+ if (host->ssl_passphrase_reload && host->ssl_passphrase_cmd[0])
+ {
+ SSL_CTX_set_default_passwd_cb(ctx, ssl_external_passwd_cb);
+ SSL_CTX_set_default_passwd_cb_userdata(ctx, host->ssl_passphrase_cmd);
+ }
The start path checks ssl_passphrase_cmd for null, the reload doesn't.
+ if (openssl_tls_init_hook != default_openssl_tls_init)
+ {
+ ereport(WARNING,
+ errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("SNI is enabled; installed TLS init hook will be ignored"),
Won't this spam the log with one warning per hosts line? It might be
okay/acceptable, but there isn't anything line specific in this
warning.
+ * file. The list is returned in the hosts parameter. The function will return
+ * a HostsFileLoadResult value detailing the result of the operation. When
+ * the hosts configuration failed to load, the err_msg variable may have more
+ * information in case it was passed as non-NULL.
+ */
+int
+load_hosts(List **hosts, char **err_msg)
Comment says HostsFileLoadResult, but the return type is int.
+typedef enum HostsFileLoad
+{
+ HOSTSFILE_LOAD_OK = 0,
+ HOSTSFILE_LOAD_FAILED,
+ HOSTSFILE_EMPTY,
+ HOSTSFILE_MISSING,
+ HOSTSFILE_DISABLED,
+} HostsFileLoadResult;
Is the HostsFileLoad vs HostsFileLoadResult difference intentional?
+#ifdef USE_ASSERT_CHECKING
+ if (res == HOSTSFILE_DISABLED)
+ Assert(ssl_sni == false);
+#endif
Do we need this ifdef?
And I also found a typo (distncnt):
+ /*
+ * At this point we know we have a configuration with a list
+ * of distnct 1..n hostnames for literal string matching with
+ * the SNI extension from the user.
[1]:
https://www.postgresql.org/message-id/CAN4CZFP%3D3xUoXb9jpn5OWwicg%2Brbyrca8-tVmgJsQAa4%2BOExkw%40mail.gmail.com
