Robert Haas <robertmhaas@gmail.com> writes:
> On Mon, Dec 2, 2019 at 11:39 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Maybe it'd be worth extending that to show the max supported
>> version, with some rats-nest of #ifdefs, but I'm not sure if
>> it's worth the trouble.
> Especially if we mess up the #ifdefs. :-)
Yah. Although, looking at the code in be-secure-openssl.c,
it doesn't look that hard to do in an extensible way.
Something like (untested)
static int
ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
{
switch (v)
{
case PG_TLS_ANY:
return 0;
case PG_TLS1_VERSION:
+#define PG_MAX_TLS_VERSION "TLSv1"
return TLS1_VERSION;
case PG_TLS1_1_VERSION:
#ifdef TLS1_1_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.1"
return TLS1_1_VERSION;
#else
break;
#endif
case PG_TLS1_2_VERSION:
#ifdef TLS1_2_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.2"
return TLS1_2_VERSION;
#else
break;
#endif
case PG_TLS1_3_VERSION:
#ifdef TLS1_3_VERSION
+#undef PG_MAX_TLS_VERSION
+#define PG_MAX_TLS_VERSION "TLSv1.3"
return TLS1_3_VERSION;
#else
break;
#endif
}
ereport(loglevel,
(errmsg("%s setting %s not supported by this build",
guc_name,
- GetConfigOption(guc_name, false, false))));
+ GetConfigOption(guc_name, false, false)),
+ errdetail("Maximum supported TLS version is %s.",
+ PG_MAX_TLS_VERSION)));
return -1;
}
regards, tom lane