Skip to content

Commit a430c7b

Browse files
peterepetere
committed
Fix compilation with older OpenSSL versions
Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros but not the corresponding SSL_OP_NO_* macro, which causes the code for handling ssl_min_protocol_version/ssl_max_protocol_version to fail to compile. To fix, add more #ifdefs and error handling. Reported-by: Victor Wagner <vitus@wagner.pp.ru> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm
1 parent 9de7ea6 commit a430c7b

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

src/backend/libpq/be-secure-openssl.c

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
198198

199199
if (ssl_ver == -1)
200200
goto error;
201-
SSL_CTX_set_min_proto_version(context, ssl_ver);
201+
if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
202+
{
203+
ereport(isServerStart ? FATAL : LOG,
204+
(errmsg("could not set minimum SSL protocol version")));
205+
goto error;
206+
}
202207
}
203208

204209
if (ssl_max_protocol_version)
@@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
209214

210215
if (ssl_ver == -1)
211216
goto error;
212-
SSL_CTX_set_max_proto_version(context, ssl_ver);
217+
if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
218+
{
219+
ereport(isServerStart ? FATAL : LOG,
220+
(errmsg("could not set maximum SSL protocol version")));
221+
goto error;
222+
}
213223
}
214224

215225
/* disallow SSL session tickets */
@@ -1335,13 +1345,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
13351345

13361346
if (version > TLS1_VERSION)
13371347
ssl_options |= SSL_OP_NO_TLSv1;
1348+
/*
1349+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1350+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1351+
* unsuccessfully here.
1352+
*/
13381353
#ifdef TLS1_1_VERSION
13391354
if (version > TLS1_1_VERSION)
1355+
{
1356+
#ifdef SSL_OP_NO_TLSv1_1
13401357
ssl_options |= SSL_OP_NO_TLSv1_1;
1358+
#else
1359+
return 0;
1360+
#endif
1361+
}
13411362
#endif
13421363
#ifdef TLS1_2_VERSION
13431364
if (version > TLS1_2_VERSION)
1365+
{
1366+
#ifdef SSL_OP_NO_TLSv1_2
13441367
ssl_options |= SSL_OP_NO_TLSv1_2;
1368+
#else
1369+
return 0;
1370+
#endif
1371+
}
13451372
#endif
13461373

13471374
SSL_CTX_set_options(ctx, ssl_options);
@@ -1356,13 +1383,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
13561383

13571384
AssertArg(version != 0);
13581385

1386+
/*
1387+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1388+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1389+
* unsuccessfully here.
1390+
*/
13591391
#ifdef TLS1_1_VERSION
13601392
if (version < TLS1_1_VERSION)
1393+
{
1394+
#ifdef SSL_OP_NO_TLSv1_1
13611395
ssl_options |= SSL_OP_NO_TLSv1_1;
1396+
#else
1397+
return 0;
1398+
#endif
1399+
}
13621400
#endif
13631401
#ifdef TLS1_2_VERSION
13641402
if (version < TLS1_2_VERSION)
1403+
{
1404+
#ifdef SSL_OP_NO_TLSv1_2
13651405
ssl_options |= SSL_OP_NO_TLSv1_2;
1406+
#else
1407+
return 0;
1408+
#endif
1409+
}
13661410
#endif
13671411

13681412
SSL_CTX_set_options(ctx, ssl_options);

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy