"Require-Peer", "", 10,
offsetof(struct pg_conn, requirepeer)},
- {"sslminprotocolversion", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
+ {"ssl_min_protocol_version", "PGSSLMINPROTOCOLVERSION", NULL, NULL,
"SSL-Minimum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */
- offsetof(struct pg_conn, sslminprotocolversion)},
+ offsetof(struct pg_conn, ssl_min_protocol_version)},
- {"sslmaxprotocolversion", "PGSSLMAXPROTOCOLVERSION", NULL, NULL,
+ {"ssl_max_protocol_version", "PGSSLMAXPROTOCOLVERSION", NULL, NULL,
"SSL-Maximum-Protocol-Version", "", 8, /* sizeof("TLSv1.x") == 8 */
- offsetof(struct pg_conn, sslmaxprotocolversion)},
+ offsetof(struct pg_conn, ssl_max_protocol_version)},
/*
* As with SSL, all GSS options are exposed even in builds that don't have
}
/*
- * Validate TLS protocol versions for sslminprotocolversion and
- * sslmaxprotocolversion.
+ * Validate TLS protocol versions for ssl_min_protocol_version and
+ * ssl_max_protocol_version.
*/
- if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
+ if (!sslVerifyProtocolVersion(conn->ssl_min_protocol_version))
{
conn->status = CONNECTION_BAD;
printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
- conn->sslminprotocolversion);
+ libpq_gettext("invalid ssl_min_protocol_version value: \"%s\"\n"),
+ conn->ssl_min_protocol_version);
return false;
}
- if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
+ if (!sslVerifyProtocolVersion(conn->ssl_max_protocol_version))
{
conn->status = CONNECTION_BAD;
printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
- conn->sslmaxprotocolversion);
+ libpq_gettext("invalid ssl_max_protocol_version value: \"%s\"\n"),
+ conn->ssl_max_protocol_version);
return false;
}
* already-built SSL context when the connection is being established, as
* it would be doomed anyway.
*/
- if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
- conn->sslmaxprotocolversion))
+ if (!sslVerifyProtocolRange(conn->ssl_min_protocol_version,
+ conn->ssl_max_protocol_version))
{
conn->status = CONNECTION_BAD;
printfPQExpBuffer(&conn->errorMessage,
free(conn->sslcompression);
if (conn->requirepeer)
free(conn->requirepeer);
- if (conn->sslminprotocolversion)
- free(conn->sslminprotocolversion);
- if (conn->sslmaxprotocolversion)
- free(conn->sslmaxprotocolversion);
+ if (conn->ssl_min_protocol_version)
+ free(conn->ssl_min_protocol_version);
+ if (conn->ssl_max_protocol_version)
+ free(conn->ssl_max_protocol_version);
if (conn->gssencmode)
free(conn->gssencmode);
if (conn->krbsrvname)
/*
* Check if the SSL procotol value given in input is valid or not.
* This is used as a sanity check routine for the connection parameters
- * sslminprotocolversion and sslmaxprotocolversion.
+ * ssl_min_protocol_version and ssl_max_protocol_version.
*/
static bool
sslVerifyProtocolVersion(const char *version)
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* Set the minimum and maximum protocol versions if necessary */
- if (conn->sslminprotocolversion &&
- strlen(conn->sslminprotocolversion) != 0)
+ if (conn->ssl_min_protocol_version &&
+ strlen(conn->ssl_min_protocol_version) != 0)
{
int ssl_min_ver;
- ssl_min_ver = ssl_protocol_version_to_openssl(conn->sslminprotocolversion);
+ ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version);
if (ssl_min_ver == -1)
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
- conn->sslminprotocolversion);
+ conn->ssl_min_protocol_version);
SSL_CTX_free(SSL_context);
return -1;
}
}
}
- if (conn->sslmaxprotocolversion &&
- strlen(conn->sslmaxprotocolversion) != 0)
+ if (conn->ssl_max_protocol_version &&
+ strlen(conn->ssl_max_protocol_version) != 0)
{
int ssl_max_ver;
- ssl_max_ver = ssl_protocol_version_to_openssl(conn->sslmaxprotocolversion);
+ ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version);
if (ssl_max_ver == -1)
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
- conn->sslmaxprotocolversion);
+ conn->ssl_max_protocol_version);
SSL_CTX_free(SSL_context);
return -1;
}
# Test min/max SSL protocol versions.
test_connect_ok(
$common_connstr,
- "sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=TLSv1.2 sslmaxprotocolversion=TLSv1.2",
+ "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2",
"connection success with correct range of TLS protocol versions");
test_connect_fails(
$common_connstr,
- "sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=TLSv1.2 sslmaxprotocolversion=TLSv1.1",
+ "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1",
qr/invalid SSL protocol version range/,
"connection failure with incorrect range of TLS protocol versions");
test_connect_fails(
$common_connstr,
- "sslrootcert=ssl/root+server_ca.crt sslmode=require sslminprotocolversion=incorrect_tls",
- qr/invalid sslminprotocolversion value/,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls",
+ qr/invalid ssl_min_protocol_version value/,
"connection failure with an incorrect SSL protocol minimum bound");
test_connect_fails(
$common_connstr,
- "sslrootcert=ssl/root+server_ca.crt sslmode=require sslmaxprotocolversion=incorrect_tls",
- qr/invalid sslmaxprotocolversion value/,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls",
+ qr/invalid ssl_max_protocol_version value/,
"connection failure with an incorrect SSL protocol maximum bound");
### Server-side tests.
projects / postgresql.git / commitdiff