From 00f2753e696709ee81529c7728a77ddf33a43784 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Wed, 29 Apr 2020 01:00:00 +0200 Subject: [PATCH] Fix check for conflicting min/max protocol settings Commit 79dfa8afb296e1b0dcffbe674e04c5f25cc13dfd introduced a check to catch when the minimum protocol version was set higher than the maximum version. The conditional block lacked braces however so the error handling always kicks in, which frees the SSL context making the backend no longer working for SSL connections. Fix by enclosing the block with braces. --- src/backend/libpq/be-secure-openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index a65f920343..42c5c07e58 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -226,12 +226,14 @@ be_tls_init(bool isServerStart) * as the code above would have already generated an error. */ if (ssl_ver_min > ssl_ver_max) + { ereport(isServerStart ? FATAL : LOG, (errmsg("could not set SSL protocol version range"), errdetail("\"%s\" cannot be higher than \"%s\"", "ssl_min_protocol_version", "ssl_max_protocol_version"))); - goto error; + goto error; + } } /* disallow SSL session tickets */ -- 2.21.1 (Apple Git-122.3)