Skip to content

Commit 2f47339

Browse files
michaelpqmichaelpq
committed
Revert "Add GUC checks for ssl_min_protocol_version and ssl_max_protocol_version"
This reverts commit 41aadee, as the GUC checks could run on older values with the new values used, and result in incorrect errors if both parameters are changed at the same time. Per complaint from Tom Lane. Discussion: https://postgr.es/m/27574.1581015893@sss.pgh.pa.us Backpatch-through: 12
1 parent 4988d7e commit 2f47339

File tree

3 files changed

+4
-69
lines changed

3 files changed

+4
-69
lines changed

src/backend/utils/misc/guc.c

Lines changed: 2 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -201,10 +201,6 @@ static bool check_cluster_name(char **newval, void **extra, GucSource source);
201201
static const char *show_unix_socket_permissions(void);
202202
static const char *show_log_file_mode(void);
203203
static const char *show_data_directory_mode(void);
204-
static bool check_ssl_min_protocol_version(int *newval, void **extra,
205-
GucSource source);
206-
static bool check_ssl_max_protocol_version(int *newval, void **extra,
207-
GucSource source);
208204
static bool check_recovery_target_timeline(char **newval, void **extra, GucSource source);
209205
static void assign_recovery_target_timeline(const char *newval, void *extra);
210206
static bool check_recovery_target(char **newval, void **extra, GucSource source);
@@ -4526,7 +4522,7 @@ static struct config_enum ConfigureNamesEnum[] =
45264522
&ssl_min_protocol_version,
45274523
PG_TLS1_VERSION,
45284524
ssl_protocol_versions_info + 1, /* don't allow PG_TLS_ANY */
4529-
check_ssl_min_protocol_version, NULL, NULL
4525+
NULL, NULL, NULL
45304526
},
45314527

45324528
{
@@ -4538,7 +4534,7 @@ static struct config_enum ConfigureNamesEnum[] =
45384534
&ssl_max_protocol_version,
45394535
PG_TLS_ANY,
45404536
ssl_protocol_versions_info,
4541-
check_ssl_max_protocol_version, NULL, NULL
4537+
NULL, NULL, NULL
45424538
},
45434539

45444540
/* End-of-list marker */
@@ -11442,49 +11438,6 @@ show_data_directory_mode(void)
1144211438
return buf;
1144311439
}
1144411440

11445-
static bool
11446-
check_ssl_min_protocol_version(int *newval, void **extra, GucSource source)
11447-
{
11448-
int new_ssl_min_protocol_version = *newval;
11449-
11450-
/* PG_TLS_ANY is not supported for the minimum bound */
11451-
Assert(new_ssl_min_protocol_version > PG_TLS_ANY);
11452-
11453-
if (ssl_max_protocol_version &&
11454-
new_ssl_min_protocol_version > ssl_max_protocol_version)
11455-
{
11456-
GUC_check_errhint("\"%s\" cannot be higher than \"%s\".",
11457-
"ssl_min_protocol_version",
11458-
"ssl_max_protocol_version");
11459-
GUC_check_errcode(ERRCODE_INVALID_PARAMETER_VALUE);
11460-
return false;
11461-
}
11462-
11463-
return true;
11464-
}
11465-
11466-
static bool
11467-
check_ssl_max_protocol_version(int *newval, void **extra, GucSource source)
11468-
{
11469-
int new_ssl_max_protocol_version = *newval;
11470-
11471-
/* if PG_TLS_ANY, there is no need to check the bounds */
11472-
if (new_ssl_max_protocol_version == PG_TLS_ANY)
11473-
return true;
11474-
11475-
if (ssl_min_protocol_version &&
11476-
ssl_min_protocol_version > new_ssl_max_protocol_version)
11477-
{
11478-
GUC_check_errhint("\"%s\" cannot be lower than \"%s\".",
11479-
"ssl_max_protocol_version",
11480-
"ssl_min_protocol_version");
11481-
GUC_check_errcode(ERRCODE_INVALID_PARAMETER_VALUE);
11482-
return false;
11483-
}
11484-
11485-
return true;
11486-
}
11487-
1148811441
static bool
1148911442
check_recovery_target_timeline(char **newval, void **extra, GucSource source)
1149011443
{

src/test/ssl/t/001_ssltests.pl

Lines changed: 1 addition & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313

1414
if ($ENV{with_openssl} eq 'yes')
1515
{
16-
plan tests => 77;
16+
plan tests => 75;
1717
}
1818
else
1919
{
@@ -87,24 +87,6 @@
8787
'restart succeeds with password-protected key file');
8888
$node->_update_pid(1);
8989

90-
# Test compatibility of SSL protocols.
91-
# TLSv1.1 is lower than TLSv1.2, so it won't work.
92-
$node->append_conf(
93-
'postgresql.conf',
94-
qq{ssl_min_protocol_version='TLSv1.2'
95-
ssl_max_protocol_version='TLSv1.1'});
96-
command_fails(
97-
[ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
98-
'restart fails with incorrect SSL protocol bounds');
99-
# Go back to the defaults, this works.
100-
$node->append_conf(
101-
'postgresql.conf',
102-
qq{ssl_min_protocol_version='TLSv1'
103-
ssl_max_protocol_version=''});
104-
command_ok(
105-
[ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ],
106-
'restart succeeds with correct SSL protocol bounds');
107-
10890
### Run client-side tests.
10991
###
11092
### Test that libpq accepts/rejects the connection correctly, depending

src/test/ssl/t/SSLServer.pm

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ sub configure_test_server_for_ssl
128128
print $conf "log_statement=all\n";
129129

130130
# enable SSL and set up server key
131-
print $conf "include 'sslconfig.conf'\n";
131+
print $conf "include 'sslconfig.conf'";
132132

133133
close $conf;
134134

0 commit comments

Comments
 (0)