Skip to content

Commit 4e6f101

Browse files
peterepetere
committed
Fix compilation with older OpenSSL versions
Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros but not the corresponding SSL_OP_NO_* macro, which causes the code for handling ssl_min_protocol_version/ssl_max_protocol_version to fail to compile. To fix, add more #ifdefs and error handling. Reported-by: Victor Wagner <vitus@wagner.pp.ru> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm
1 parent 4ea03f3 commit 4e6f101

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

src/backend/libpq/be-secure-openssl.c

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
198198

199199
if (ssl_ver == -1)
200200
goto error;
201-
SSL_CTX_set_min_proto_version(context, ssl_ver);
201+
if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
202+
{
203+
ereport(isServerStart ? FATAL : LOG,
204+
(errmsg("could not set minimum SSL protocol version")));
205+
goto error;
206+
}
202207
}
203208

204209
if (ssl_max_protocol_version)
@@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
209214

210215
if (ssl_ver == -1)
211216
goto error;
212-
SSL_CTX_set_max_proto_version(context, ssl_ver);
217+
if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
218+
{
219+
ereport(isServerStart ? FATAL : LOG,
220+
(errmsg("could not set maximum SSL protocol version")));
221+
goto error;
222+
}
213223
}
214224

215225
/* disallow SSL session tickets */
@@ -1326,13 +1336,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
13261336

13271337
if (version > TLS1_VERSION)
13281338
ssl_options |= SSL_OP_NO_TLSv1;
1339+
/*
1340+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1341+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1342+
* unsuccessfully here.
1343+
*/
13291344
#ifdef TLS1_1_VERSION
13301345
if (version > TLS1_1_VERSION)
1346+
{
1347+
#ifdef SSL_OP_NO_TLSv1_1
13311348
ssl_options |= SSL_OP_NO_TLSv1_1;
1349+
#else
1350+
return 0;
1351+
#endif
1352+
}
13321353
#endif
13331354
#ifdef TLS1_2_VERSION
13341355
if (version > TLS1_2_VERSION)
1356+
{
1357+
#ifdef SSL_OP_NO_TLSv1_2
13351358
ssl_options |= SSL_OP_NO_TLSv1_2;
1359+
#else
1360+
return 0;
1361+
#endif
1362+
}
13361363
#endif
13371364

13381365
SSL_CTX_set_options(ctx, ssl_options);
@@ -1347,13 +1374,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
13471374

13481375
AssertArg(version != 0);
13491376

1377+
/*
1378+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1379+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1380+
* unsuccessfully here.
1381+
*/
13501382
#ifdef TLS1_1_VERSION
13511383
if (version < TLS1_1_VERSION)
1384+
{
1385+
#ifdef SSL_OP_NO_TLSv1_1
13521386
ssl_options |= SSL_OP_NO_TLSv1_1;
1387+
#else
1388+
return 0;
1389+
#endif
1390+
}
13531391
#endif
13541392
#ifdef TLS1_2_VERSION
13551393
if (version < TLS1_2_VERSION)
1394+
{
1395+
#ifdef SSL_OP_NO_TLSv1_2
13561396
ssl_options |= SSL_OP_NO_TLSv1_2;
1397+
#else
1398+
return 0;
1399+
#endif
1400+
}
13571401
#endif
13581402

13591403
SSL_CTX_set_options(ctx, ssl_options);

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy