SSL connection check

public inbox for [email protected]  
help / color / mirror / Atom feed

SSL connection check
2+ messages / 2 participants
[nested] [flat]

* SSL connection check
@ 2021-02-17 10:38  Daniel Gustafsson <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Daniel Gustafsson @ 2021-02-17 10:38 UTC (permalink / raw)
  To: pgsql-odbc

PgDtc_is_recovery_available use PQgetssl() to check if SSL was used for the
connection.  PQgetssl() is discouraged since it is hardcoded to the OpenSSL
implementation and may fail to identify an SSL connection in case another TLS
backend is added to postgres (a few alternatives have already been discussed on
-hackers).

The attached changes to use PQsslInUse() to perform the check, and removes a
comment which seemed out of place with this (unless I totally misunderstood
it).  PQsslInUse has been available since 9.5, to cope with older libpq
versions, an autoconf check is added for falling back on PQgetssl in 9.4
through to 9.2.

--
Daniel Gustafsson		https://vmware.com/



Attachments:

  [application/octet-stream] pqgetssl.patch (1.5K, 2-pqgetssl.patch)
  download | inline diff:
From e79f22f2f76bf92ec8290fd8786f471287e03ede Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <[email protected]>
Date: Tue, 16 Feb 2021 16:01:08 +0100
Subject: [PATCH] Refactor check for SSL connection

PQgetssl has been discouraged from use since postgres 9.5 since it
will risk false negatives if postgres supports other TLS libraries
than OpenSSL. Refactor to use PQsslInUse which has been available
since 9.5 for just this purpose.
---
 configure.ac | 2 ++
 connection.c | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 8453a29..090972a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -258,6 +258,8 @@ AC_C_CONST
 AC_FUNC_STRERROR_R
 AC_CHECK_FUNCS(strtoul strtoll strlcat mbstowcs wcstombs mbrtoc16 c16rtomb)
 
+AC_CHECK_FUNCS(PQsslInUse)
+
 if test "$enable_pthreads" = yes; then
   AC_CHECK_FUNCS(localtime_r strtok_r pthread_mutexattr_settype)
 
diff --git a/connection.c b/connection.c
index 070e043..02794ff 100644
--- a/connection.c
+++ b/connection.c
@@ -3263,10 +3263,13 @@ DLL_DECLARE int PgDtc_is_recovery_available(void *self, char *reason, int rsize)
 	/*
 	 * Did we use SSL client certificate, SSPI, Kerberos or similar
 	 * authentication methods?
-	 * There seems no way to check it directly.
 	 */
 	doubtCert = FALSE;
+#ifdef HAVE_PQSSLINUSE
+	if (PQsslInUse(conn->pqconn))
+#else
 	if (PQgetssl(conn->pqconn) != NULL)
+#endif
 		doubtCert = TRUE;
 
 	nameSize = sizeof(loginUser);
-- 
2.21.1 (Apple Git-122.3)



^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: SSL connection check
@ 2021-02-18 03:27  井上博史 <[email protected]>
  parent: Daniel Gustafsson <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: 井上博史 @ 2021-02-18 03:27 UTC (permalink / raw)
  To: [email protected]; +Cc: pgsql-odbc

Hi Daniel,

I would take care of the patch.

Thanks.
Hiroshi Inoue

<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&a...;
ウイルス
フリー｡ www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&a...;
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

2021年2月17日(水) 19:38 Daniel Gustafsson <[email protected]>:

> PgDtc_is_recovery_available use PQgetssl() to check if SSL was used for the
> connection.  PQgetssl() is discouraged since it is hardcoded to the OpenSSL
> implementation and may fail to identify an SSL connection in case another
> TLS
> backend is added to postgres (a few alternatives have already been
> discussed on
> -hackers).
>
> The attached changes to use PQsslInUse() to perform the check, and removes
> a
> comment which seemed out of place with this (unless I totally misunderstood
> it).  PQsslInUse has been available since 9.5, to cope with older libpq
> versions, an autoconf check is added for falling back on PQgetssl in 9.4
> through to 9.2.
>
> --
> Daniel Gustafsson               https://vmware.com/
>
>


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2021-02-18 03:27 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-02-17 10:38 SSL connection check Daniel Gustafsson <[email protected]>
2021-02-18 03:27 ` 井上博史 <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox