@@ -198,7 +198,12 @@ be_tls_init(bool isServerStart)
198
198
199
199
if (ssl_ver == -1 )
200
200
goto error ;
201
- SSL_CTX_set_min_proto_version (context , ssl_ver );
201
+ if (!SSL_CTX_set_min_proto_version (context , ssl_ver ))
202
+ {
203
+ ereport (isServerStart ? FATAL : LOG ,
204
+ (errmsg ("could not set minimum SSL protocol version" )));
205
+ goto error ;
206
+ }
202
207
}
203
208
204
209
if (ssl_max_protocol_version )
@@ -209,7 +214,12 @@ be_tls_init(bool isServerStart)
209
214
210
215
if (ssl_ver == -1 )
211
216
goto error ;
212
- SSL_CTX_set_max_proto_version (context , ssl_ver );
217
+ if (!SSL_CTX_set_max_proto_version (context , ssl_ver ))
218
+ {
219
+ ereport (isServerStart ? FATAL : LOG ,
220
+ (errmsg ("could not set maximum SSL protocol version" )));
221
+ goto error ;
222
+ }
213
223
}
214
224
215
225
/* disallow SSL session tickets */
@@ -1335,13 +1345,30 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
1335
1345
1336
1346
if (version > TLS1_VERSION )
1337
1347
ssl_options |= SSL_OP_NO_TLSv1 ;
1348
+ /*
1349
+ * Some OpenSSL versions define TLS*_VERSION macros but not the
1350
+ * corresponding SSL_OP_NO_* macro, so in those cases we have to return
1351
+ * unsuccessfully here.
1352
+ */
1338
1353
#ifdef TLS1_1_VERSION
1339
1354
if (version > TLS1_1_VERSION )
1355
+ {
1356
+ #ifdef SSL_OP_NO_TLSv1_1
1340
1357
ssl_options |= SSL_OP_NO_TLSv1_1 ;
1358
+ #else
1359
+ return 0 ;
1360
+ #endif
1361
+ }
1341
1362
#endif
1342
1363
#ifdef TLS1_2_VERSION
1343
1364
if (version > TLS1_2_VERSION )
1365
+ {
1366
+ #ifdef SSL_OP_NO_TLSv1_2
1344
1367
ssl_options |= SSL_OP_NO_TLSv1_2 ;
1368
+ #else
1369
+ return 0 ;
1370
+ #endif
1371
+ }
1345
1372
#endif
1346
1373
1347
1374
SSL_CTX_set_options (ctx , ssl_options );
@@ -1356,13 +1383,30 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
1356
1383
1357
1384
AssertArg (version != 0 );
1358
1385
1386
+ /*
1387
+ * Some OpenSSL versions define TLS*_VERSION macros but not the
1388
+ * corresponding SSL_OP_NO_* macro, so in those cases we have to return
1389
+ * unsuccessfully here.
1390
+ */
1359
1391
#ifdef TLS1_1_VERSION
1360
1392
if (version < TLS1_1_VERSION )
1393
+ {
1394
+ #ifdef SSL_OP_NO_TLSv1_1
1361
1395
ssl_options |= SSL_OP_NO_TLSv1_1 ;
1396
+ #else
1397
+ return 0 ;
1398
+ #endif
1399
+ }
1362
1400
#endif
1363
1401
#ifdef TLS1_2_VERSION
1364
1402
if (version < TLS1_2_VERSION )
1403
+ {
1404
+ #ifdef SSL_OP_NO_TLSv1_2
1365
1405
ssl_options |= SSL_OP_NO_TLSv1_2 ;
1406
+ #else
1407
+ return 0 ;
1408
+ #endif
1409
+ }
1366
1410
#endif
1367
1411
1368
1412
SSL_CTX_set_options (ctx , ssl_options );
0 commit comments