From 1b589521d39ff175f7b080ad1174e0f8a90bb1b0 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Fri, 24 Apr 2020 13:49:11 +0200 Subject: [PATCH] Rename client-side TLS protocol settings The names of the client side TLS protocol settings were originally chosen to be consistent with the already existing ssl* settings. This made the names confusingly low however, and inconsistent with the corresponding TLS protocol version settings in the backend. This improves readability of client side TLS protocol settings by adding underscores to break up the really long word. The environment vars are kept without underscores to be consistent with (most) other env vars. Reported-by: Peter Eisentraut --- .../postgres_fdw/expected/postgres_fdw.out | 2 +- doc/src/sgml/libpq.sgml | 12 +++--- src/interfaces/libpq/fe-connect.c | 38 +++++++++---------- src/interfaces/libpq/fe-secure-openssl.c | 16 ++++---- src/interfaces/libpq/libpq-int.h | 4 +- src/test/ssl/t/001_ssltests.pl | 12 +++--- 6 files changed, 42 insertions(+), 42 deletions(-) diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out index 62c2697920..90db550b92 100644 --- a/contrib/postgres_fdw/expected/postgres_fdw.out +++ b/contrib/postgres_fdw/expected/postgres_fdw.out @@ -8898,7 +8898,7 @@ DO $d$ END; $d$; ERROR: invalid option "password" -HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, sslminprotocolversion, sslmaxprotocolversion, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size +HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr, port, options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout, sslmode, sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version, ssl_max_protocol_version, gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost, fdw_tuple_cost, extensions, updatable, fetch_size CONTEXT: SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')" PL/pgSQL function inline_code_block line 3 at EXECUTE -- If we add a password for our user mapping instead, we should get a different diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 75d2224a61..79c38210a4 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1736,8 +1736,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname - - sslminprotocolversion + + ssl_min_protocol_version This parameter specifies the minimum SSL/TLS protocol version to allow @@ -1752,8 +1752,8 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname - - sslmaxprotocolversion + + ssl_max_protocol_version This parameter specifies the maximum SSL/TLS protocol version to allow @@ -7164,7 +7164,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) PGSSLMINPROTOCOLVERSION PGSSLMINPROTOCOLVERSION behaves the same as the connection parameter. + linkend="libpq-connect-ssl-min-protocol-version"/> connection parameter. @@ -7174,7 +7174,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) PGSSLMAXPROTOCOLVERSION PGSSLMAXPROTOCOLVERSION behaves the same as the connection parameter. + linkend="libpq-connect-ssl-min-protocol-version"/> connection parameter. diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 0157c619aa..23be9a66cb 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -320,13 +320,13 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Require-Peer", "", 10, offsetof(struct pg_conn, requirepeer)}, - {"sslminprotocolversion", "PGSSLMINPROTOCOLVERSION", NULL, NULL, + {"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", NULL, NULL, "SSL-Minimum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */ - offsetof(struct pg_conn, sslminprotocolversion)}, + offsetof(struct pg_conn, ssl_min_protocol_version)}, - {"sslmaxprotocolversion", "PGSSLMAXPROTOCOLVERSION", NULL, NULL, + {"ssl_max_protocol_version", "PGSSLMAXPROTOCOLVERSION", NULL, NULL, "SSL-Maximum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */ - offsetof(struct pg_conn, sslmaxprotocolversion)}, + offsetof(struct pg_conn, ssl_max_protocol_version)}, /* * As with SSL, all GSS options are exposed even in builds that don't have @@ -1301,23 +1301,23 @@ connectOptions2(PGconn *conn) } /* - * Validate TLS protocol versions for sslminprotocolversion and - * sslmaxprotocolversion. + * Validate TLS protocol versions for ssl_min_protocol_version and + * ssl_max_protocol_version. */ - if (!sslVerifyProtocolVersion(conn->sslminprotocolversion)) + if (!sslVerifyProtocolVersion(conn->ssl_min_protocol_version)) { conn->status = CONNECTION_BAD; printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"), - conn->sslminprotocolversion); + libpq_gettext("invalid ssl_min_protocol_version value: \"%s\"\n"), + conn->ssl_min_protocol_version); return false; } - if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion)) + if (!sslVerifyProtocolVersion(conn->ssl_max_protocol_version)) { conn->status = CONNECTION_BAD; printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"), - conn->sslmaxprotocolversion); + libpq_gettext("invalid ssl_max_protocol_version value: \"%s\"\n"), + conn->ssl_max_protocol_version); return false; } @@ -1328,8 +1328,8 @@ connectOptions2(PGconn *conn) * already-built SSL context when the connection is being established, as * it would be doomed anyway. */ - if (!sslVerifyProtocolRange(conn->sslminprotocolversion, - conn->sslmaxprotocolversion)) + if (!sslVerifyProtocolRange(conn->ssl_min_protocol_version, + conn->ssl_max_protocol_version)) { conn->status = CONNECTION_BAD; printfPQExpBuffer(&conn->errorMessage, @@ -4046,10 +4046,10 @@ freePGconn(PGconn *conn) free(conn->sslcompression); if (conn->requirepeer) free(conn->requirepeer); - if (conn->sslminprotocolversion) - free(conn->sslminprotocolversion); - if (conn->sslmaxprotocolversion) - free(conn->sslmaxprotocolversion); + if (conn->ssl_min_protocol_version) + free(conn->ssl_min_protocol_version); + if (conn->ssl_max_protocol_version) + free(conn->ssl_max_protocol_version); if (conn->gssencmode) free(conn->gssencmode); if (conn->krbsrvname) @@ -7120,7 +7120,7 @@ pgpassfileWarning(PGconn *conn) /* * Check if the SSL procotol value given in input is valid or not. * This is used as a sanity check routine for the connection parameters - * sslminprotocolversion and sslmaxprotocolversion. + * ssl_min_protocol_version and ssl_max_protocol_version. */ static bool sslVerifyProtocolVersion(const char *version) diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 731aa23c55..ddeeb606f5 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -842,18 +842,18 @@ initialize_SSL(PGconn *conn) SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* Set the minimum and maximum protocol versions if necessary */ - if (conn->sslminprotocolversion && - strlen(conn->sslminprotocolversion) != 0) + if (conn->ssl_min_protocol_version && + strlen(conn->ssl_min_protocol_version) != 0) { int ssl_min_ver; - ssl_min_ver = ssl_protocol_version_to_openssl(conn->sslminprotocolversion); + ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version); if (ssl_min_ver == -1) { printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"), - conn->sslminprotocolversion); + conn->ssl_min_protocol_version); SSL_CTX_free(SSL_context); return -1; } @@ -871,18 +871,18 @@ initialize_SSL(PGconn *conn) } } - if (conn->sslmaxprotocolversion && - strlen(conn->sslmaxprotocolversion) != 0) + if (conn->ssl_max_protocol_version && + strlen(conn->ssl_max_protocol_version) != 0) { int ssl_max_ver; - ssl_max_ver = ssl_protocol_version_to_openssl(conn->sslmaxprotocolversion); + ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version); if (ssl_max_ver == -1) { printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"), - conn->sslmaxprotocolversion); + conn->ssl_max_protocol_version); SSL_CTX_free(SSL_context); return -1; } diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 72931e6019..1de91ae295 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -367,8 +367,8 @@ struct pg_conn char *krbsrvname; /* Kerberos service name */ char *gsslib; /* What GSS library to use ("gssapi" or * "sspi") */ - char *sslminprotocolversion; /* minimum TLS protocol version */ - char *sslmaxprotocolversion; /* maximum TLS protocol version */ + char *ssl_min_protocol_version; /* minimum TLS protocol version */ + char *ssl_max_protocol_version; /* maximum TLS protocol version */ /* Type of connection to make. Possible values: any, read-write. */ char *target_session_attrs; diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index d035ac7fc9..3e68a49ca9 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -357,22 +357,22 @@ command_like( # Test min/max SSL protocol versions. test_connect_ok( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=TLSv1.2 sslmaxprotocolversion=TLSv1.2", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2", "connection success with correct range of TLS protocol versions"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=TLSv1.2 sslmaxprotocolversion=TLSv1.1", + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1", qr/invalid SSL protocol version range/, "connection failure with incorrect range of TLS protocol versions"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=incorrect_tls", - qr/invalid sslminprotocolversion value/, + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls", + qr/invalid ssl_min_protocol_version value/, "connection failure with an incorrect SSL protocol minimum bound"); test_connect_fails( $common_connstr, - "sslrootcert=ssl/root+server_ca.crt sslmode=require sslmaxprotocolversion=incorrect_tls", - qr/invalid sslmaxprotocolversion value/, + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls", + qr/invalid ssl_max_protocol_version value/, "connection failure with an incorrect SSL protocol maximum bound"); ### Server-side tests. -- 2.21.1 (Apple Git-122.3)