Participants
Michael Paquier
Michael Paquier
Peter Eisentraut
Peter Eisentraut
Attachments
Thread Outline
#1Michael PaquierMichael Paquier
Sep 27, 2019
#2Peter EisentrautPeter Eisentrautto Michael Paquier (#1)
Sep 27, 2019
#3Michael PaquierMichael Paquierto Peter Eisentraut (#2)
Sep 28, 2019

Cleanup code related to OpenSSL <= 0.9.6 in fe/be-secure-openssl.c

Started by Michael Paquierover 6 years ago3 messages
#1Michael Paquier
Michael Paquier
michael@paquier.xyz
1 attachment(s)

Hi all,

While reviewing the area, I have bumped into the following bit in
fe-secure-openssl.c and be-secure-openssl.c:
- /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
[... stuff ...]

I think that this did not get removed because of the incorrect version
number in the comment, which should have been 0.9.6 from the start.

Anyway, let's clean up this code as per the attached. This set of
flags indeed exists since 0.9.7. Any thoughts or objections?
--
Michael

Attachments:

openssl-clean-crl-check.patchtext/x-diff; charset=us-asciiDownload
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index c97c811e63..a0ae5c5046 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -269,17 +269,8 @@ be_tls_init(bool isServerStart)
 			/* Set the flags to check against the complete CRL chain */
 			if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
 			{
-				/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
 				X509_STORE_set_flags(cvstore,
 									 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
-				ereport(LOG,
-						(errcode(ERRCODE_CONFIG_FILE_ERROR),
-						 errmsg("SSL certificate revocation list file \"%s\" ignored",
-								ssl_crl_file),
-						 errdetail("SSL library does not support certificate revocation lists.")));
-#endif
 			}
 			else
 			{
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index c8b8d07039..c8dddfb5fd 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -869,20 +869,8 @@ initialize_SSL(PGconn *conn)
 			if (fnbuf[0] != '\0' &&
 				X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
 			{
-				/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
 				X509_STORE_set_flags(cvstore,
 									 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
-				char	   *err = SSLerrmessage(ERR_get_error());
-
-				printfPQExpBuffer(&conn->errorMessage,
-								  libpq_gettext("SSL library does not support CRL certificates (file \"%s\")\n"),
-								  fnbuf);
-				SSLerrfree(err);
-				SSL_CTX_free(SSL_context);
-				return -1;
-#endif
 			}
 			/* if not found, silently ignore;  we do not require CRL */
 			ERR_clear_error();
#2Peter Eisentraut
Peter Eisentraut
peter.eisentraut@2ndquadrant.com
In reply to: Michael Paquier (#1)
Re: Cleanup code related to OpenSSL <= 0.9.6 in fe/be-secure-openssl.c

On 2019-09-27 05:23, Michael Paquier wrote:

While reviewing the area, I have bumped into the following bit in
fe-secure-openssl.c and be-secure-openssl.c:
- /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
-#ifdef X509_V_FLAG_CRL_CHECK
[... stuff ...]

I think that this did not get removed because of the incorrect version
number in the comment, which should have been 0.9.6 from the start.

Anyway, let's clean up this code as per the attached. This set of
flags indeed exists since 0.9.7. Any thoughts or objections?

Yes, it seems OK to clean this up in master.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

#3Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Peter Eisentraut (#2)
Re: Cleanup code related to OpenSSL <= 0.9.6 in fe/be-secure-openssl.c

On Fri, Sep 27, 2019 at 03:46:09PM +0200, Peter Eisentraut wrote:

Yes, it seems OK to clean this up in master.

Thanks, applied on HEAD.
--
Michael

← Back to Topics