> On 7 Mar 2024, at 20:58, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> I wrote:
>> Stephen Frost <sfrost@snowman.net> writes:
>>> Agreed that it doesn't seem well documented. I was trying to figure out
>>> what the 'right' answer here was myself and not having much success. If
>>> the above works, then +1 to that.
>
>> My reaction as well --- I was just gearing up to test this idea,
>> unless one of you are already on it?
>
> I've confirmed that this:
>
> diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
> index e12b1cc9e3..47eee4b59d 100644
> --- a/src/backend/libpq/be-secure-openssl.c
> +++ b/src/backend/libpq/be-secure-openssl.c
> @@ -1363,6 +1363,10 @@ SSLerrmessage(unsigned long ecode)
> errreason = ERR_reason_error_string(ecode);
> if (errreason != NULL)
> return errreason;
> +#ifdef ERR_SYSTEM_ERROR
> + if (ERR_SYSTEM_ERROR(ecode))
> + return strerror(ERR_GET_REASON(ecode));
> +#endif
> snprintf(errbuf, sizeof(errbuf), _("SSL error code %lu"), ecode);
> return errbuf;
> }
>
> seems to be enough to fix the problem on OpenSSL 3.1.1. The #ifdef
> is needed to avoid compile failure against OpenSSL 1.1.1 --- but that
> version doesn't have the problem, so we don't need to sweat.
This was introduced in OpenSSL 3.0.0 so that makes sense. Pre-3.0.0 versions
truncates system errorcodes that was outside of the range 1..127 reserving the
rest for OpenSSL specific errors. To capture the full range possible of system
errors the code is no longer truncated and the ERR_SYSTEM_FLAG flag is set,
which can be tested for with the macro used here.
> This could probably do with a comment, and we need to propagate
> the fix into libpq's copy of the function too. Barring objections,
> I'll take care of that and push it later today.
LGTM.
--
Daniel Gustafsson
