| From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Victor Wagner <vitus(at)wagner(dot)pp(dot)ru>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: PostgreSQL12 and older versions of OpenSSL |
| Date: | 2019-09-27 13:50:57 |
| Message-ID: | c09cf245-cfb4-c756-aeea-db57b6ad329c@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2019-09-27 03:51, Michael Paquier wrote:
> I have tested compilation of REL_12_STABLE with the top of OpenSSL
> 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 and 1.1.1. Our SSL tests also pass
> in all the setups I have tested.
great
> Your patch does not issue a ereport(LOG/FATAL) in the event of a
> failure with SSL_CTX_set_max_proto_version(), which is something done
> when ssl_protocol_version_to_openssl()'s result is -1. Wouldn't it be
> better to report that properly to the user?
Our SSL_CTX_set_max_proto_version() is a reimplementation of a function
that exists in newer versions of OpenSSL, so it has a specific error
behavior. Our implementation should probably not diverge from it too much.
> Some more nits about the patch I have. Would it be worth copying the
> comment from min_proto_version() to SSL_CTX_set_max_proto_version()?
> I would add a newline before the comment block as well.
ok
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2019-09-27 14:20:58 | Re: PostgreSQL12 and older versions of OpenSSL |
| Previous Message | Peter Eisentraut | 2019-09-27 13:46:09 | Re: Cleanup code related to OpenSSL <= 0.9.6 in fe/be-secure-openssl.c |