Re: PostgreSQL12 and older versions of OpenSSL

Thu, 26 Sep 2019 09:25:10 -0700 

Here is my proposed patch, currently completely untested.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

>From 35324dbe908a779c9d84b438cb54328cfd74e403 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <[email protected]>
Date: Thu, 26 Sep 2019 18:22:56 +0200
Subject: [PATCH] Fix compilation with older OpenSSL versions

TODO explanation here
---
 src/backend/libpq/be-secure-openssl.c | 35 +++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c 
b/src/backend/libpq/be-secure-openssl.c
index c97c811e63..020f7c7f62 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -198,7 +198,8 @@ be_tls_init(bool isServerStart)
 
                if (ssl_ver == -1)
                        goto error;
-               SSL_CTX_set_min_proto_version(context, ssl_ver);
+               if (!SSL_CTX_set_min_proto_version(context, ssl_ver))
+                       goto error;
        }
 
        if (ssl_max_protocol_version)
@@ -209,7 +210,8 @@ be_tls_init(bool isServerStart)
 
                if (ssl_ver == -1)
                        goto error;
-               SSL_CTX_set_max_proto_version(context, ssl_ver);
+               if (!SSL_CTX_set_max_proto_version(context, ssl_ver))
+                       goto error;
        }
 
        /* disallow SSL session tickets */
@@ -1335,13 +1337,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
 
        if (version > TLS1_VERSION)
                ssl_options |= SSL_OP_NO_TLSv1;
+       /*
+        * Some OpenSSL versions define TLS*_VERSION macros but not the
+        * corresponding SSL_OP_NO_* macro, so in those cases we have to return
+        * unsuccessfully here.
+        */
 #ifdef TLS1_1_VERSION
        if (version > TLS1_1_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_1
                ssl_options |= SSL_OP_NO_TLSv1_1;
+#else
+               return 0;
+#endif
+       }
 #endif
 #ifdef TLS1_2_VERSION
        if (version > TLS1_2_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_2
                ssl_options |= SSL_OP_NO_TLSv1_2;
+#else
+               return 0;
+#endif
+       }
 #endif
 
        SSL_CTX_set_options(ctx, ssl_options);
@@ -1358,11 +1377,23 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
 
 #ifdef TLS1_1_VERSION
        if (version < TLS1_1_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_1
                ssl_options |= SSL_OP_NO_TLSv1_1;
+#else
+               return 0;
+#endif
+       }
 #endif
 #ifdef TLS1_2_VERSION
        if (version < TLS1_2_VERSION)
+       {
+#ifdef SSL_OP_NO_TLSv1_2
                ssl_options |= SSL_OP_NO_TLSv1_2;
+#else
+               return 0;
+#endif
+       }
 #endif
 
        SSL_CTX_set_options(ctx, ssl_options);
-- 
2.23.0

Reply via email to