mirror of
https://github.com/postgres/postgres.git
synced 2025-11-20 00:02:24 -05:00
b63dd3d88f
OpenSSL's native reports about problems related to protocol version restrictions are pretty opaque and inconsistent. When we get an SSL error that is plausibly due to this, emit a hint message that includes the range of SSL protocol versions we (think we) are allowing. This should at least get the user thinking in the right direction to resolve the problem, even if the hint isn't totally accurate, which it might not be for assorted reasons. Back-patch to v13 where we increased the default minimum protocol version, thereby increasing the risk of this class of failure. Patch by me, reviewed by Daniel Gustafsson Discussion: https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com
50 lines
1.5 KiB
C
50 lines
1.5 KiB
C
/*-------------------------------------------------------------------------
|
|
*
|
|
* openssl.h
|
|
* OpenSSL supporting functionality shared between frontend and backend
|
|
*
|
|
* Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
*
|
|
* IDENTIFICATION
|
|
* src/include/common/openssl.h
|
|
*
|
|
*-------------------------------------------------------------------------
|
|
*/
|
|
#ifndef COMMON_OPENSSL_H
|
|
#define COMMON_OPENSSL_H
|
|
|
|
#ifdef USE_OPENSSL
|
|
#include <openssl/ssl.h>
|
|
|
|
/*
|
|
* OpenSSL doesn't provide any very nice way to identify the min/max
|
|
* protocol versions the library supports, so we fake it as best we can.
|
|
* Note in particular that this doesn't account for restrictions that
|
|
* might be specified in the installation's openssl.cnf.
|
|
*
|
|
* We disable SSLv3 and older in library setup, so TLSv1 is the oldest
|
|
* protocol version of interest.
|
|
*/
|
|
#define MIN_OPENSSL_TLS_VERSION "TLSv1"
|
|
|
|
#if defined(TLS1_3_VERSION)
|
|
#define MAX_OPENSSL_TLS_VERSION "TLSv1.3"
|
|
#elif defined(TLS1_2_VERSION)
|
|
#define MAX_OPENSSL_TLS_VERSION "TLSv1.2"
|
|
#elif defined(TLS1_1_VERSION)
|
|
#define MAX_OPENSSL_TLS_VERSION "TLSv1.1"
|
|
#else
|
|
#define MAX_OPENSSL_TLS_VERSION "TLSv1"
|
|
#endif
|
|
|
|
/* src/common/protocol_openssl.c */
|
|
#ifndef SSL_CTX_set_min_proto_version
|
|
extern int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
|
|
extern int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
|
|
#endif
|
|
|
|
#endif /* USE_OPENSSL */
|
|
|
|
#endif /* COMMON_OPENSSL_H */
|