From 35324dbe908a779c9d84b438cb54328cfd74e403 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 26 Sep 2019 18:22:56 +0200 Subject: [PATCH] Fix compilation with older OpenSSL versions TODO explanation here --- src/backend/libpq/be-secure-openssl.c | 35 +++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index c97c811e63..020f7c7f62 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -198,7 +198,8 @@ be_tls_init(bool isServerStart) if (ssl_ver == -1) goto error; - SSL_CTX_set_min_proto_version(context, ssl_ver); + if (!SSL_CTX_set_min_proto_version(context, ssl_ver)) + goto error; } if (ssl_max_protocol_version) @@ -209,7 +210,8 @@ be_tls_init(bool isServerStart) if (ssl_ver == -1) goto error; - SSL_CTX_set_max_proto_version(context, ssl_ver); + if (!SSL_CTX_set_max_proto_version(context, ssl_ver)) + goto error; } /* disallow SSL session tickets */ @@ -1335,13 +1337,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) if (version > TLS1_VERSION) ssl_options |= SSL_OP_NO_TLSv1; + /* + * Some OpenSSL versions define TLS*_VERSION macros but not the + * corresponding SSL_OP_NO_* macro, so in those cases we have to return + * unsuccessfully here. + */ #ifdef TLS1_1_VERSION if (version > TLS1_1_VERSION) + { +#ifdef SSL_OP_NO_TLSv1_1 ssl_options |= SSL_OP_NO_TLSv1_1; +#else + return 0; +#endif + } #endif #ifdef TLS1_2_VERSION if (version > TLS1_2_VERSION) + { +#ifdef SSL_OP_NO_TLSv1_2 ssl_options |= SSL_OP_NO_TLSv1_2; +#else + return 0; +#endif + } #endif SSL_CTX_set_options(ctx, ssl_options); @@ -1358,11 +1377,23 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version) #ifdef TLS1_1_VERSION if (version < TLS1_1_VERSION) + { +#ifdef SSL_OP_NO_TLSv1_1 ssl_options |= SSL_OP_NO_TLSv1_1; +#else + return 0; +#endif + } #endif #ifdef TLS1_2_VERSION if (version < TLS1_2_VERSION) + { +#ifdef SSL_OP_NO_TLSv1_2 ssl_options |= SSL_OP_NO_TLSv1_2; +#else + return 0; +#endif + } #endif SSL_CTX_set_options(ctx, ssl_options); -- 2.23.0