Re: BUG #17625: In PG15 PQsslAttribute returns different values than PG14 when SSL is not in use for the connection - Mailing list pgsql-bugs

Daniel Gustafsson <daniel@yesql.se> writes:
>> On 29 Sep 2022, at 23:08, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> A definition that'd be consistent with what we just agreed to for
>> PQsslAttribute is:
>> PQsslAttributeNames(NULL): the attributes for the default SSL library,
>> or an empty list if there is none.
>> PQsslAttributeNames(conn): the attributes for the SSL library in use
>> on this connection, or an empty list if not encrypted.

> I think that makes sense, it keeps the API consistent.

So more or less as attached, then.

Since this is mostly about future-proofing, I'd personally be content
to put it in HEAD.  Is there a case for shoehorning this into
v15 at this late date?  Consistency with PQsslAttribute would be
good, but I'm not sure we want to make this kind of change post-RC1.

            regards, tom lane

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 8908f775df..41864c6cf1 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -2592,12 +2592,22 @@ const char *PQsslAttribute(const PGconn *conn, const char *attribute_name);

<term><function>PQsslAttributeNames</function><indexterm><primary>PQsslAttributeNames</primary></indexterm></term>
      <listitem>
       <para>
-       Returns an array of SSL attribute names available.
+       Returns an array of SSL attribute names that can be used
+       in <function>PQsslAttribute()</function>.
        The array is terminated by a NULL pointer.
 <synopsis>
 const char * const * PQsslAttributeNames(const PGconn *conn);
 </synopsis>
       </para>
+
+      <para>
+       If <literal>conn</literal> is NULL, the attributes available for the
+       default SSL library are returned, or an empty list
+       if <application>libpq</application> was compiled without any SSL
+       support.  If <literal>conn</literal> is not NULL, the attributes
+       available for the SSL library in use for the connection are returned,
+       or an empty list if the connection is not encrypted.
+      </para>
      </listitem>
     </varlistentry>

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 74b5c5987a..b42a908733 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1730,7 +1730,7 @@ PQsslStruct(PGconn *conn, const char *struct_name)
 const char *const *
 PQsslAttributeNames(PGconn *conn)
 {
-    static const char *const result[] = {
+    static const char *const openssl_attrs[] = {
         "library",
         "key_bits",
         "cipher",
@@ -1738,8 +1738,19 @@ PQsslAttributeNames(PGconn *conn)
         "protocol",
         NULL
     };
+    static const char *const empty_attrs[] = {NULL};

-    return result;
+    if (!conn)
+    {
+        /* Return attributes of default SSL library */
+        return openssl_attrs;
+    }
+
+    /* No attrs for unencrypted connection */
+    if (conn->ssl == NULL)
+        return empty_attrs;
+
+    return openssl_attrs;
 }

 const char *