From 5160a67f2603b37da3cc912d6dae78a4daef15f3 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Wed, 6 Feb 2019 15:14:00 +0100
Subject: [PATCH] Set elevel based on isServerStart in TLS version check

be_tls_init() should error out with an elevel based on isServerStart
in order for the SSL context to be properly cleaned up. Fix the TLS
version setup to also consider isServerStart rather than erroring out
with ERROR unconditionally.
---
 src/backend/libpq/be-secure-openssl.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index a2779543ec..85507fa2f2 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -67,7 +67,8 @@ static bool SSL_initialized = false;
 static bool dummy_ssl_passwd_cb_called = false;
 static bool ssl_is_server_start;
 
-static int ssl_protocol_version_to_openssl(int v, const char *guc_name);
+static int ssl_protocol_version_to_openssl(int v, const char *guc_name,
+										   bool isServerStart);
 #ifndef SSL_CTX_set_min_proto_version
 static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
 static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
@@ -190,13 +191,24 @@ be_tls_init(bool isServerStart)
 	}
 
 	if (ssl_min_protocol_version)
-		SSL_CTX_set_min_proto_version(context,
-									  ssl_protocol_version_to_openssl(ssl_min_protocol_version,
-																	  "ssl_min_protocol_version"));
+	{
+		int tls_ver = ssl_protocol_version_to_openssl(ssl_min_protocol_version,
+													  "ssl_min_protocol_version",
+													  isServerStart);
+		if (tls_ver == -1)
+			goto error;
+		SSL_CTX_set_min_proto_version(context, tls_ver);
+	}
+
 	if (ssl_max_protocol_version)
-		SSL_CTX_set_max_proto_version(context,
-									  ssl_protocol_version_to_openssl(ssl_max_protocol_version,
-																	  "ssl_max_protocol_version"));
+	{
+		int tls_ver = ssl_protocol_version_to_openssl(ssl_max_protocol_version,
+													  "ssl_max_protocol_version",
+													  isServerStart);
+		if (tls_ver == -1)
+			goto error;
+		SSL_CTX_set_max_proto_version(context, tls_ver);
+	}
 
 	/* disallow SSL session tickets */
 #ifdef SSL_OP_NO_TICKET			/* added in OpenSSL 0.9.8f */
@@ -1262,8 +1274,10 @@ X509_NAME_to_cstring(X509_NAME *name)
  * working with a supported version.
  */
 static int
-ssl_protocol_version_to_openssl(int v, const char *guc_name)
+ssl_protocol_version_to_openssl(int v, const char *guc_name, bool isServerStart)
 {
+	int			loglevel = isServerStart ? FATAL : LOG;
+
 	switch (v)
 	{
 		case PG_TLS_ANY:
@@ -1292,7 +1306,7 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name)
 
 error:
 	pg_attribute_unused();
-	ereport(ERROR,
+	ereport(loglevel,
 			(errmsg("%s setting %s not supported by this build",
 					guc_name,
 					GetConfigOption(guc_name, false, false))));
-- 
2.14.1.145.gb3622a4ee