Re: Update minimum SSL version

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: Update minimum SSL version
Дата
Msg-id 4448.1575309086@sss.pgh.pa.us
обсуждение исходный текст
Ответ на Re: Update minimum SSL version  (Robert Haas <robertmhaas@gmail.com>)
Ответы Re: Update minimum SSL version  (Michael Paquier <michael@paquier.xyz>)
Список pgsql-hackers
Дерево обсуждения 
Robert Haas <robertmhaas@gmail.com> writes:
> On Mon, Dec 2, 2019 at 11:39 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Maybe it'd be worth extending that to show the max supported
>> version, with some rats-nest of #ifdefs, but I'm not sure if
>> it's worth the trouble.

> Especially if we mess up the #ifdefs. :-)

Yah.  Although, looking at the code in be-secure-openssl.c,
it doesn't look that hard to do in an extensible way.
Something like (untested)

 static int
 ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
 {
     switch (v)
     {
         case PG_TLS_ANY:
             return 0;
         case PG_TLS1_VERSION:
+#define PG_MAX_TLS_VERSION "TLSv1"
             return TLS1_VERSION;
         case PG_TLS1_1_VERSION:
 #ifdef TLS1_1_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.1"
             return TLS1_1_VERSION;
 #else
             break;
 #endif
         case PG_TLS1_2_VERSION:
 #ifdef TLS1_2_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.2"
             return TLS1_2_VERSION;
 #else
             break;
 #endif
         case PG_TLS1_3_VERSION:
 #ifdef TLS1_3_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.3"
             return TLS1_3_VERSION;
 #else
             break;
 #endif
     }
 
     ereport(loglevel,
             (errmsg("%s setting %s not supported by this build",
                     guc_name,
-                    GetConfigOption(guc_name, false, false))));
+                    GetConfigOption(guc_name, false, false)),
+             errdetail("Maximum supported TLS version is %s.",
+                       PG_MAX_TLS_VERSION)));
     return -1;
 }

            regards, tom lane

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Robert Haas
Дата:
Сообщение: Re: Update minimum SSL version
Следующее
От: Mark Dilger
Дата:
Сообщение: Re: Should we add xid_current() or a int8->xid cast?