Re: PostgreSQL12 and older versions of OpenSSL

[Victor Wagner]

On Tue, 24 Sep 2019 18:49:17 +0900
Michael Paquier <mich...@paquier.xyz> wrote:

> On Tue, Sep 24, 2019 at 10:18:59AM +0300, Victor Wagner wrote:
> > PostgreSQL 12 documentation states, that minimum required version of
> > OpenSSL is 0.9.8. However, I was unable to сompile current
> > PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4).
> 
> I can reproduce that with REL_12_STABLE and the top of
> OpenSSL_0_9_8-stable fromx OpenSSL's git.
> 
> > Replacing all 
> > 
> > #ifdef TLS1_1_VERSION
> > 
> > with
> > 
> > #if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION
> > 
> > and analogue for TLS1_2_VERSION fixes the problem.
> 
> That sounds like a plan.  
[skip] 
> > ...
> > (line 1290). In this case check for TLS1_1_VERSION <=
> > TLS_MAX_VERSION seems to be more self-explanatory, than check for
> > somewhat unrelated symbol SSL_OP_NO_TLSv1_1
> 
> That sounds right.  Victor, would you like to write a patch?

I'm attaching patch which uses solution mentioned above.
It seems that chedk for SSL_OP_NO_TLSvX_Y is redundant if 
we are checking for TLS_MAX_VERSION.
-- 

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index c97c811..e24d7de 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1287,19 +1287,19 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
 		case PG_TLS1_VERSION:
 			return TLS1_VERSION;
 		case PG_TLS1_1_VERSION:
-#ifdef TLS1_1_VERSION
+#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION
 			return TLS1_1_VERSION;
 #else
 			break;
 #endif
 		case PG_TLS1_2_VERSION:
-#ifdef TLS1_2_VERSION
+#if defined(TLS1_2_VERSION) &&  TLS1_2_VERSION <= TLS_MAX_VERSION
 			return TLS1_2_VERSION;
 #else
 			break;
 #endif
 		case PG_TLS1_3_VERSION:
-#ifdef TLS1_3_VERSION
+#if defined(TLS1_3_VERSION)  &&  TLS1_2_VERSION <= TLS_MAX_VERSION
 			return TLS1_3_VERSION;
 #else
 			break;
@@ -1335,11 +1335,11 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
 
 	if (version > TLS1_VERSION)
 		ssl_options |= SSL_OP_NO_TLSv1;
-#ifdef TLS1_1_VERSION
+#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION
 	if (version > TLS1_1_VERSION)
 		ssl_options |= SSL_OP_NO_TLSv1_1;
 #endif
-#ifdef TLS1_2_VERSION
+#if defined(TLS1_2_VERSION) && TLS1_2_VERSION <= TLS_MAX_VERSION
 	if (version > TLS1_2_VERSION)
 		ssl_options |= SSL_OP_NO_TLSv1_2;
 #endif
@@ -1356,11 +1356,11 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
 
 	AssertArg(version != 0);
 
-#ifdef TLS1_1_VERSION
+#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION
 	if (version < TLS1_1_VERSION)
 		ssl_options |= SSL_OP_NO_TLSv1_1;
 #endif
-#ifdef TLS1_2_VERSION
+#if defined(TLS1_2_VERSION) && TLS1_2_VERSION <= TLS_MAX_VERSION
 	if (version < TLS1_2_VERSION)
 		ssl_options |= SSL_OP_NO_TLSv1_2;
 #endif

pgpTlATx598L1.pgp
Description: OpenPGP digital signature