Use abstracted SSL API in server connection log messages

The existing "connection authorized" server log messages used OpenSSL
API calls directly, even though similar abstracted API calls exist.
Change to use the latter instead.

Change the function prototype for the functions that return the TLS
version and the cipher to return const char * directly instead of
copying into a buffer.  That makes them slightly easier to use.

Add bits= to the message.  psql shows that, so we might as well show the
same information on the client and server.

Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
This commit is contained in:
Peter Eisentraut 2018-01-25 08:58:00 -05:00
parent a6ef00b5c3
commit c1869542b3
4 changed files with 26 additions and 20 deletions

View File

@ -1047,22 +1047,22 @@ be_tls_get_compression(Port *port)
return false;
}
void
be_tls_get_version(Port *port, char *ptr, size_t len)
const char *
be_tls_get_version(Port *port)
{
if (port->ssl)
strlcpy(ptr, SSL_get_version(port->ssl), len);
return SSL_get_version(port->ssl);
else
ptr[0] = '\0';
return NULL;
}
void
be_tls_get_cipher(Port *port, char *ptr, size_t len)
const char *
be_tls_get_cipher(Port *port)
{
if (port->ssl)
strlcpy(ptr, SSL_get_cipher(port->ssl), len);
return SSL_get_cipher(port->ssl);
else
ptr[0] = '\0';
return NULL;
}
void

View File

@ -2909,8 +2909,8 @@ pgstat_bestart(void)
beentry->st_ssl = true;
beentry->st_sslstatus->ssl_bits = be_tls_get_cipher_bits(MyProcPort);
beentry->st_sslstatus->ssl_compression = be_tls_get_compression(MyProcPort);
be_tls_get_version(MyProcPort, beentry->st_sslstatus->ssl_version, NAMEDATALEN);
be_tls_get_cipher(MyProcPort, beentry->st_sslstatus->ssl_cipher, NAMEDATALEN);
strlcpy(beentry->st_sslstatus->ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN);
strlcpy(beentry->st_sslstatus->ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN);
be_tls_get_peerdn_name(MyProcPort, beentry->st_sslstatus->ssl_clientdn, NAMEDATALEN);
}
else

View File

@ -246,12 +246,15 @@ PerformAuthentication(Port *port)
{
if (am_walsender)
{
#ifdef USE_OPENSSL
#ifdef USE_SSL
if (port->ssl_in_use)
ereport(LOG,
(errmsg("replication connection authorized: user=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
port->user_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
(errmsg("replication connection authorized: user=%s SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)",
port->user_name,
be_tls_get_version(port),
be_tls_get_cipher(port),
be_tls_get_cipher_bits(port),
be_tls_get_compression(port) ? _("on") : _("off"))));
else
#endif
ereport(LOG,
@ -260,12 +263,15 @@ PerformAuthentication(Port *port)
}
else
{
#ifdef USE_OPENSSL
#ifdef USE_SSL
if (port->ssl_in_use)
ereport(LOG,
(errmsg("connection authorized: user=%s database=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
port->user_name, port->database_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
(errmsg("connection authorized: user=%s database=%s SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)",
port->user_name, port->database_name,
be_tls_get_version(port),
be_tls_get_cipher(port),
be_tls_get_cipher_bits(port),
be_tls_get_compression(port) ? _("on") : _("off"))));
else
#endif
ereport(LOG,

View File

@ -256,8 +256,8 @@ extern ssize_t be_tls_write(Port *port, void *ptr, size_t len, int *waitfor);
*/
extern int be_tls_get_cipher_bits(Port *port);
extern bool be_tls_get_compression(Port *port);
extern void be_tls_get_version(Port *port, char *ptr, size_t len);
extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
extern const char *be_tls_get_version(Port *port);
extern const char *be_tls_get_cipher(Port *port);
extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
/*