Skip to content

Commit a430c7b

Browse files
committed
Fix compilation with older OpenSSL versions
Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros but not the corresponding SSL_OP_NO_* macro, which causes the code for handling ssl_min_protocol_version/ssl_max_protocol_version to fail to compile. To fix, add more #ifdefs and error handling. Reported-by: Victor Wagner <vitus@wagner.pp.ru> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm
1 parent 9de7ea6 commit a430c7b

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

src/backend/libpq/be-secure-openssl.c

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
198198

199199
if (ssl_ver == -1)
200200
goto error;
201-
SSL_CTX_set_min_proto_version(context, ssl_ver);
201+
if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
202+
{
203+
ereport(isServerStart ? FATAL : LOG,
204+
(errmsg("could not set minimum SSL protocol version")));
205+
goto error;
206+
}
202207
}
203208

204209
if (ssl_max_protocol_version)
@@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
209214

210215
if (ssl_ver == -1)
211216
goto error;
212-
SSL_CTX_set_max_proto_version(context, ssl_ver);
217+
if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
218+
{
219+
ereport(isServerStart ? FATAL : LOG,
220+
(errmsg("could not set maximum SSL protocol version")));
221+
goto error;
222+
}
213223
}
214224

215225
/* disallow SSL session tickets */
@@ -1335,13 +1345,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
13351345

13361346
if (version > TLS1_VERSION)
13371347
ssl_options |= SSL_OP_NO_TLSv1;
1348+
/*
1349+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1350+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1351+
* unsuccessfully here.
1352+
*/
13381353
#ifdef TLS1_1_VERSION
13391354
if (version > TLS1_1_VERSION)
1355+
{
1356+
#ifdef SSL_OP_NO_TLSv1_1
13401357
ssl_options |= SSL_OP_NO_TLSv1_1;
1358+
#else
1359+
return 0;
1360+
#endif
1361+
}
13411362
#endif
13421363
#ifdef TLS1_2_VERSION
13431364
if (version > TLS1_2_VERSION)
1365+
{
1366+
#ifdef SSL_OP_NO_TLSv1_2
13441367
ssl_options |= SSL_OP_NO_TLSv1_2;
1368+
#else
1369+
return 0;
1370+
#endif
1371+
}
13451372
#endif
13461373

13471374
SSL_CTX_set_options(ctx, ssl_options);
@@ -1356,13 +1383,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
13561383

13571384
AssertArg(version != 0);
13581385

1386+
/*
1387+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1388+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1389+
* unsuccessfully here.
1390+
*/
13591391
#ifdef TLS1_1_VERSION
13601392
if (version < TLS1_1_VERSION)
1393+
{
1394+
#ifdef SSL_OP_NO_TLSv1_1
13611395
ssl_options |= SSL_OP_NO_TLSv1_1;
1396+
#else
1397+
return 0;
1398+
#endif
1399+
}
13621400
#endif
13631401
#ifdef TLS1_2_VERSION
13641402
if (version < TLS1_2_VERSION)
1403+
{
1404+
#ifdef SSL_OP_NO_TLSv1_2
13651405
ssl_options |= SSL_OP_NO_TLSv1_2;
1406+
#else
1407+
return 0;
1408+
#endif
1409+
}
13661410
#endif
13671411

13681412
SSL_CTX_set_options(ctx, ssl_options);

0 commit comments

Comments
 (0)