Skip to content

Commit 4e6f101

Browse files
peterepetere
committed
Fix compilation with older OpenSSL versions
Some older OpenSSL versions (0.9.8 branch) define TLS*_VERSION macros but not the corresponding SSL_OP_NO_* macro, which causes the code for handling ssl_min_protocol_version/ssl_max_protocol_version to fail to compile. To fix, add more #ifdefs and error handling. Reported-by: Victor Wagner <vitus@wagner.pp.ru> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/flat/20190924101859.09383b4f%40fafnir.local.vm
1 parent 4ea03f3 commit 4e6f101

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

src/backend/libpq/be-secure-openssl.c

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
198198

199199
if (ssl_ver == -1)
200200
goto error;
201-
SSL_CTX_set_min_proto_version(context, ssl_ver);
201+
if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
202+
{
203+
ereport(isServerStart ? FATAL : LOG,
204+
(errmsg("could not set minimum SSL protocol version")));
205+
goto error;
206+
}
202207
}
203208

204209
if (ssl_max_protocol_version)
@@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
209214

210215
if (ssl_ver == -1)
211216
goto error;
212-
SSL_CTX_set_max_proto_version(context, ssl_ver);
217+
if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
218+
{
219+
ereport(isServerStart ? FATAL : LOG,
220+
(errmsg("could not set maximum SSL protocol version")));
221+
goto error;
222+
}
213223
}
214224

215225
/* disallow SSL session tickets */
@@ -1326,13 +1336,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
13261336

13271337
if (version > TLS1_VERSION)
13281338
ssl_options |= SSL_OP_NO_TLSv1;
1339+
/*
1340+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1341+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1342+
* unsuccessfully here.
1343+
*/
13291344
#ifdef TLS1_1_VERSION
13301345
if (version > TLS1_1_VERSION)
1346+
{
1347+
#ifdef SSL_OP_NO_TLSv1_1
13311348
ssl_options |= SSL_OP_NO_TLSv1_1;
1349+
#else
1350+
return 0;
1351+
#endif
1352+
}
13321353
#endif
13331354
#ifdef TLS1_2_VERSION
13341355
if (version > TLS1_2_VERSION)
1356+
{
1357+
#ifdef SSL_OP_NO_TLSv1_2
13351358
ssl_options |= SSL_OP_NO_TLSv1_2;
1359+
#else
1360+
return 0;
1361+
#endif
1362+
}
13361363
#endif
13371364

13381365
SSL_CTX_set_options(ctx, ssl_options);
@@ -1347,13 +1374,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
13471374

13481375
AssertArg(version != 0);
13491376

1377+
/*
1378+
* Some OpenSSL versions define TLS*_VERSION macros but not the
1379+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1380+
* unsuccessfully here.
1381+
*/
13501382
#ifdef TLS1_1_VERSION
13511383
if (version < TLS1_1_VERSION)
1384+
{
1385+
#ifdef SSL_OP_NO_TLSv1_1
13521386
ssl_options |= SSL_OP_NO_TLSv1_1;
1387+
#else
1388+
return 0;
1389+
#endif
1390+
}
13531391
#endif
13541392
#ifdef TLS1_2_VERSION
13551393
if (version < TLS1_2_VERSION)
1394+
{
1395+
#ifdef SSL_OP_NO_TLSv1_2
13561396
ssl_options |= SSL_OP_NO_TLSv1_2;
1397+
#else
1398+
return 0;
1399+
#endif
1400+
}
13571401
#endif
13581402

13591403
SSL_CTX_set_options(ctx, ssl_options);

0 commit comments

Comments
 (0)