Cleanup code related to OpenSSL <= 0.9.6 in fe/be-secure-openssl.c

Thu, 26 Sep 2019 20:23:43 -0700 

Hi all,

While reviewing the area, I have bumped into the following bit in
fe-secure-openssl.c and be-secure-openssl.c:
-        /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
[...  stuff ...]

I think that this did not get removed because of the incorrect version
number in the comment, which should have been 0.9.6 from the start.

Anyway, let's clean up this code as per the attached.  This set of
flags indeed exists since 0.9.7.  Any thoughts or objections?
--
Michael

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index c97c811e63..a0ae5c5046 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -269,17 +269,8 @@ be_tls_init(bool isServerStart)
 			/* Set the flags to check against the complete CRL chain */
 			if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
 			{
-				/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
 				X509_STORE_set_flags(cvstore,
 									 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
-				ereport(LOG,
-						(errcode(ERRCODE_CONFIG_FILE_ERROR),
-						 errmsg("SSL certificate revocation list file \"%s\" ignored",
-								ssl_crl_file),
-						 errdetail("SSL library does not support certificate revocation lists.")));
-#endif
 			}
 			else
 			{
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index c8b8d07039..c8dddfb5fd 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -869,20 +869,8 @@ initialize_SSL(PGconn *conn)
 			if (fnbuf[0] != '\0' &&
 				X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
 			{
-				/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
 				X509_STORE_set_flags(cvstore,
 									 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
-				char	   *err = SSLerrmessage(ERR_get_error());
-
-				printfPQExpBuffer(&conn->errorMessage,
-								  libpq_gettext("SSL library does not support CRL certificates (file \"%s\")\n"),
-								  fnbuf);
-				SSLerrfree(err);
-				SSL_CTX_free(SSL_context);
-				return -1;
-#endif
 			}
 			/* if not found, silently ignore;  we do not require CRL */
 			ERR_clear_error();

Attachment: signature.asc
Description: PGP signature

Reply via email to