diff options
| author | Bruce Momjian | 2000-08-30 14:54:24 +0000 |
|---|---|---|
| committer | Bruce Momjian | 2000-08-30 14:54:24 +0000 |
| commit | 7bc654bb16dc08153060c8ddc1e0f3786026a483 (patch) | |
| tree | 5b9ae9cc8cb21a2ceb3e0db714a404ee96cfc4b1 /src/backend/postmaster | |
| parent | 3498ea830828feb8c5f6cf155a40df012cbc6d64 (diff) | |
SSL patch from Magnus
Diffstat (limited to 'src/backend/postmaster')
| -rw-r--r-- | src/backend/postmaster/postmaster.c | 52 |
1 files changed, 22 insertions, 30 deletions
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index 986e0e038cb..223b5bbe24c 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.163 2000/08/29 16:40:19 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.164 2000/08/30 14:54:22 momjian Exp $ * * NOTES * @@ -195,10 +195,7 @@ static int SendStop = false; bool NetServer = false; /* listen on TCP/IP */ #ifdef USE_SSL -static bool SecureNetServer = false; /* if not zero, postmaster listens - * for only SSL non-local - * connections */ - +static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */ #endif static pid_t StartupPID = 0, @@ -455,7 +452,7 @@ PostmasterMain(int argc, char *argv[]) break; #ifdef USE_SSL case 'l': - SecureNetServer = true; + DisableSSL = true; break; #endif case 'm': @@ -566,13 +563,14 @@ PostmasterMain(int argc, char *argv[]) } #ifdef USE_SSL - if (!NetServer && SecureNetServer) + if (!NetServer && !DisableSSL) { - fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections.\n", + fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n", progname); exit(1); } - InitSSL(); + if (!DisableSSL) + InitSSL(); #endif if (NetServer) @@ -754,7 +752,7 @@ usage(const char *progname) printf(" -F turn fsync off\n"); printf(" -i listen on TCP/IP sockets\n"); #ifdef USE_SSL - printf(" -l listen only on SSL connections (EXPERIMENTAL)\n"); + printf(" -l disable SSL\n"); #endif printf(" -N <number> maximum number of allowed connections (1..%d, default %d)\n", MAXBACKENDS, DEF_MAXBACKENDS); @@ -1062,7 +1060,11 @@ readStartupPacket(void *arg, PacketLen len, void *pkt) char SSLok; #ifdef USE_SSL - SSLok = 'S'; /* Support for SSL */ + if (DisableSSL || port->laddr.sa.sa_family != AF_INET) + /* No SSL when disabled or on Unix sockets */ + SSLok = 'N'; + else + SSLok = 'S'; /* Support for SSL */ #else SSLok = 'N'; /* No support for SSL */ #endif @@ -1073,13 +1075,15 @@ readStartupPacket(void *arg, PacketLen len, void *pkt) } #ifdef USE_SSL - if (!(port->ssl = SSL_new(SSL_context)) || - !SSL_set_fd(port->ssl, port->sock) || - SSL_accept(port->ssl) <= 0) - { - fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n", - ERR_reason_error_string(ERR_get_error()), errno, strerror(errno)); - return STATUS_ERROR; + if (SSLok == 'S') { + if (!(port->ssl = SSL_new(SSL_context)) || + !SSL_set_fd(port->ssl, port->sock) || + SSL_accept(port->ssl) <= 0) + { + fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n", + ERR_reason_error_string(ERR_get_error()), errno, strerror(errno)); + return STATUS_ERROR; + } } #endif /* ready for the normal startup packet */ @@ -1091,18 +1095,6 @@ readStartupPacket(void *arg, PacketLen len, void *pkt) /* Could add additional special packet types here */ -#ifdef USE_SSL - - /* - * Any SSL negotiation must have taken place here, so drop the - * connection ASAP if we require SSL - */ - if (SecureNetServer && !port->ssl) - { - PacketSendError(&port->pktInfo, "Backend requires secure connection."); - return STATUS_OK; - } -#endif /* Check we can handle the protocol the frontend is using. */ |