On 2020-01-15 03:28, Michael Paquier wrote:
Good points. And the get routines are not that portable in OpenSSL either even if HEAD supports 1.0.1 and newer versions... Attached is an updated patch which uses a GUC check for both parameters, and provides a hint on top of the original error message. The SSL context does not get reloaded if there is an error, so the errors from OpenSSL cannot be triggered as far as I checked (after mixing a couple of corrent and incorrect combinations manually).
The reason this wasn't done originally is that it is not correct to have GUC check hooks that refer to other GUC variables, because otherwise you get inconsistent behavior depending on the order of processing of the assignments. In this case, I think it would work because you have symmetric checks for both variables, but in general it is a problematic strategy.
-- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
