diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2020-06-27 12:47:58 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2020-06-27 12:47:58 -0400 |
| commit | b63dd3d88f479947ef7fb7cbf5db27de66ae0654 (patch) | |
| tree | d9278731eeb77c93b702190977072e4f521c14ea /src/interfaces/libpq/fe-secure-openssl.c | |
| parent | 6e682f61a5bdb08164a805419144318db6b7229f (diff) | |
| download | postgresql-b63dd3d88f479947ef7fb7cbf5db27de66ae0654.tar.gz postgresql-b63dd3d88f479947ef7fb7cbf5db27de66ae0654.zip | |
Add hints about protocol-version-related SSL connection failures.
OpenSSL's native reports about problems related to protocol version
restrictions are pretty opaque and inconsistent. When we get an
SSL error that is plausibly due to this, emit a hint message that
includes the range of SSL protocol versions we (think we) are
allowing. This should at least get the user thinking in the right
direction to resolve the problem, even if the hint isn't totally
accurate, which it might not be for assorted reasons.
Back-patch to v13 where we increased the default minimum protocol
version, thereby increasing the risk of this class of failure.
Patch by me, reviewed by Daniel Gustafsson
Discussion: https://postgr.es/m/a9408304-4381-a5af-d259-e55d349ae4ce@2ndquadrant.com
Diffstat (limited to 'src/interfaces/libpq/fe-secure-openssl.c')
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 2d813ef5f9b..b5b2006b75d 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1304,6 +1304,45 @@ open_client_SSL(PGconn *conn) libpq_gettext("SSL error: %s\n"), err); SSLerrfree(err); + switch (ERR_GET_REASON(ecode)) + { + /* + * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and + * TLSV1_ALERT_PROTOCOL_VERSION have been observed + * when trying to communicate with an old OpenSSL + * library, or when the client and server specify + * disjoint protocol ranges. + * NO_PROTOCOLS_AVAILABLE occurs if there's a + * local misconfiguration (which can happen + * despite our checks, if openssl.cnf injects a + * limit we didn't account for). It's not very + * clear what would make OpenSSL return the other + * codes listed here, but a hint about protocol + * versions seems like it's appropriate for all. + */ + case SSL_R_NO_PROTOCOLS_AVAILABLE: + case SSL_R_UNSUPPORTED_PROTOCOL: + case SSL_R_BAD_PROTOCOL_VERSION_NUMBER: + case SSL_R_UNKNOWN_PROTOCOL: + case SSL_R_UNKNOWN_SSL_VERSION: + case SSL_R_UNSUPPORTED_SSL_VERSION: + case SSL_R_VERSION_TOO_HIGH: + case SSL_R_VERSION_TOO_LOW: + case SSL_R_WRONG_SSL_VERSION: + case SSL_R_WRONG_VERSION_NUMBER: + case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: + appendPQExpBuffer(&conn->errorMessage, + libpq_gettext("This may indicate that the server does not support any SSL protocol version between %s and %s.\n"), + conn->ssl_min_protocol_version ? + conn->ssl_min_protocol_version : + MIN_OPENSSL_TLS_VERSION, + conn->ssl_max_protocol_version ? + conn->ssl_max_protocol_version : + MAX_OPENSSL_TLS_VERSION); + break; + default: + break; + } pgtls_close(conn); return PGRES_POLLING_FAILED; } |