Fix compilation with older OpenSSL versions
Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros but not the corresponding SSL_OP_NO_* macro, which causes the code for handling ssl_min_protocol_version/ssl_max_protocol_version to fail to compile. To fix, add more #ifdefs and error handling. Reported-by: Victor Wagner <vitus@wagner.pp.ru> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm
This commit is contained in:
Peter Eisentraut
parent
4ea03f3f4e
commit
4e6f101e92
|
|
@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
|
|||
|
||||
if (ssl_ver == -1)
|
||||
goto error;
|
||||
SSL_CTX_set_min_proto_version(context, ssl_ver);
|
||||
if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
|
||||
{
|
||||
ereport(isServerStart ? FATAL : LOG,
|
||||
(errmsg("could not set minimum SSL protocol version")));
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
|
||||
if (ssl_max_protocol_version)
|
||||
|
|
@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
|
|||
|
||||
if (ssl_ver == -1)
|
||||
goto error;
|
||||
SSL_CTX_set_max_proto_version(context, ssl_ver);
|
||||
if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
|
||||
{
|
||||
ereport(isServerStart ? FATAL : LOG,
|
||||
(errmsg("could not set maximum SSL protocol version")));
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
|
||||
/* disallow SSL session tickets */
|
||||
|
|
@ -1326,13 +1336,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
|
|||
|
||||
if (version > TLS1_VERSION)
|
||||
ssl_options |= SSL_OP_NO_TLSv1;
|
||||
/*
|
||||
* Some OpenSSL versions define TLS*_VERSION macros but not the
|
||||
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
|
||||
* unsuccessfully here.
|
||||
*/
|
||||
#ifdef TLS1_1_VERSION
|
||||
if (version > TLS1_1_VERSION)
|
||||
{
|
||||
#ifdef SSL_OP_NO_TLSv1_1
|
||||
ssl_options |= SSL_OP_NO_TLSv1_1;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
#ifdef TLS1_2_VERSION
|
||||
if (version > TLS1_2_VERSION)
|
||||
{
|
||||
#ifdef SSL_OP_NO_TLSv1_2
|
||||
ssl_options |= SSL_OP_NO_TLSv1_2;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
SSL_CTX_set_options(ctx, ssl_options);
|
||||
|
|
@ -1347,13 +1374,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
|
|||
|
||||
AssertArg(version != 0);
|
||||
|
||||
/*
|
||||
* Some OpenSSL versions define TLS*_VERSION macros but not the
|
||||
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
|
||||
* unsuccessfully here.
|
||||
*/
|
||||
#ifdef TLS1_1_VERSION
|
||||
if (version < TLS1_1_VERSION)
|
||||
{
|
||||
#ifdef SSL_OP_NO_TLSv1_1
|
||||
ssl_options |= SSL_OP_NO_TLSv1_1;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
#ifdef TLS1_2_VERSION
|
||||
if (version < TLS1_2_VERSION)
|
||||
{
|
||||
#ifdef SSL_OP_NO_TLSv1_2
|
||||
ssl_options |= SSL_OP_NO_TLSv1_2;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
SSL_CTX_set_options(ctx, ssl_options);
|
||||
|
|
|
|||
Loading…
Reference in New Issue