On 2020-01-15 03:28, Michael Paquier wrote:
> Good points. And the get routines are not that portable in OpenSSL
> either even if HEAD supports 1.0.1 and newer versions... Attached is
> an updated patch which uses a GUC check for both parameters, and
> provides a hint on top of the original error message. The SSL context
> does not get reloaded if there is an error, so the errors from OpenSSL
> cannot be triggered as far as I checked (after mixing a couple of
> corrent and incorrect combinations manually).
The reason this wasn't done originally is that it is not correct to have
GUC check hooks that refer to other GUC variables, because otherwise you
get inconsistent behavior depending on the order of processing of the
assignments. In this case, I think it would work because you have
symmetric checks for both variables, but in general it is a problematic
strategy.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services