On 2019-09-27 16:20, Michael Paquier wrote: > On Fri, Sep 27, 2019 at 03:50:57PM +0200, Peter Eisentraut wrote: >> On 2019-09-27 03:51, Michael Paquier wrote: >>> Your patch does not issue a ereport(LOG/FATAL) in the event of a >>> failure with SSL_CTX_set_max_proto_version(), which is something done >>> when ssl_protocol_version_to_openssl()'s result is -1. Wouldn't it be >>> better to report that properly to the user? >> >> Our SSL_CTX_set_max_proto_version() is a reimplementation of a function >> that exists in newer versions of OpenSSL, so it has a specific error >> behavior. Our implementation should probably not diverge from it too much. > > I agree with this point. Now my argument is about logging LOG or > FATAL within be_tls_init() after the two OpenSSL functions (or our > wrappers) SSL_CTX_set_min/max_proto_version are called.
committed with that -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
