On Tue, 24 Sep 2019 18:49:17 +0900 Michael Paquier <mich...@paquier.xyz> wrote:
> On Tue, Sep 24, 2019 at 10:18:59AM +0300, Victor Wagner wrote: > > PostgreSQL 12 documentation states, that minimum required version of > > OpenSSL is 0.9.8. However, I was unable to сompile current > > PGPRO_12_STABLE with OpenSSL 0.9.8j (from SLES 11sp4). > > I can reproduce that with REL_12_STABLE and the top of > OpenSSL_0_9_8-stable fromx OpenSSL's git. > > > Replacing all > > > > #ifdef TLS1_1_VERSION > > > > with > > > > #if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION > > > > and analogue for TLS1_2_VERSION fixes the problem. > > That sounds like a plan. [skip] > > ... > > (line 1290). In this case check for TLS1_1_VERSION <= > > TLS_MAX_VERSION seems to be more self-explanatory, than check for > > somewhat unrelated symbol SSL_OP_NO_TLSv1_1 > > That sounds right. Victor, would you like to write a patch? I'm attaching patch which uses solution mentioned above. It seems that chedk for SSL_OP_NO_TLSvX_Y is redundant if we are checking for TLS_MAX_VERSION. --
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index c97c811..e24d7de 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1287,19 +1287,19 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel) case PG_TLS1_VERSION: return TLS1_VERSION; case PG_TLS1_1_VERSION: -#ifdef TLS1_1_VERSION +#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION return TLS1_1_VERSION; #else break; #endif case PG_TLS1_2_VERSION: -#ifdef TLS1_2_VERSION +#if defined(TLS1_2_VERSION) && TLS1_2_VERSION <= TLS_MAX_VERSION return TLS1_2_VERSION; #else break; #endif case PG_TLS1_3_VERSION: -#ifdef TLS1_3_VERSION +#if defined(TLS1_3_VERSION) && TLS1_2_VERSION <= TLS_MAX_VERSION return TLS1_3_VERSION; #else break; @@ -1335,11 +1335,11 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) if (version > TLS1_VERSION) ssl_options |= SSL_OP_NO_TLSv1; -#ifdef TLS1_1_VERSION +#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION if (version > TLS1_1_VERSION) ssl_options |= SSL_OP_NO_TLSv1_1; #endif -#ifdef TLS1_2_VERSION +#if defined(TLS1_2_VERSION) && TLS1_2_VERSION <= TLS_MAX_VERSION if (version > TLS1_2_VERSION) ssl_options |= SSL_OP_NO_TLSv1_2; #endif @@ -1356,11 +1356,11 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version) AssertArg(version != 0); -#ifdef TLS1_1_VERSION +#if defined(TLS1_1_VERSION) && TLS1_1_VERSION <= TLS_MAX_VERSION if (version < TLS1_1_VERSION) ssl_options |= SSL_OP_NO_TLSv1_1; #endif -#ifdef TLS1_2_VERSION +#if defined(TLS1_2_VERSION) && TLS1_2_VERSION <= TLS_MAX_VERSION if (version < TLS1_2_VERSION) ssl_options |= SSL_OP_NO_TLSv1_2; #endif
pgpTlATx598L1.pgp
Description: OpenPGP digital signature