*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.163 2000/08/29 16:40:19 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.164 2000/08/30 14:54:22 momjian Exp $
*
* NOTES
*
bool NetServer = false; /* listen on TCP/IP */
#ifdef USE_SSL
-static bool SecureNetServer = false; /* if not zero, postmaster listens
- * for only SSL non-local
- * connections */
-
+static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */
#endif
static pid_t StartupPID = 0,
break;
#ifdef USE_SSL
case 'l':
- SecureNetServer = true;
+ DisableSSL = true;
break;
#endif
case 'm':
}
#ifdef USE_SSL
- if (!NetServer && SecureNetServer)
+ if (!NetServer && !DisableSSL)
{
- fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections.\n",
+ fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n",
progname);
exit(1);
}
- InitSSL();
+ if (!DisableSSL)
+ InitSSL();
#endif
if (NetServer)
printf(" -F turn fsync off\n");
printf(" -i listen on TCP/IP sockets\n");
#ifdef USE_SSL
- printf(" -l listen only on SSL connections (EXPERIMENTAL)\n");
+ printf(" -l disable SSL\n");
#endif
printf(" -N <number> maximum number of allowed connections (1..%d, default %d)\n",
MAXBACKENDS, DEF_MAXBACKENDS);
char SSLok;
#ifdef USE_SSL
- SSLok = 'S'; /* Support for SSL */
+ if (DisableSSL || port->laddr.sa.sa_family != AF_INET)
+ /* No SSL when disabled or on Unix sockets */
+ SSLok = 'N';
+ else
+ SSLok = 'S'; /* Support for SSL */
#else
SSLok = 'N'; /* No support for SSL */
#endif
}
#ifdef USE_SSL
- if (!(port->ssl = SSL_new(SSL_context)) ||
- !SSL_set_fd(port->ssl, port->sock) ||
- SSL_accept(port->ssl) <= 0)
- {
- fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n",
- ERR_reason_error_string(ERR_get_error()), errno, strerror(errno));
- return STATUS_ERROR;
+ if (SSLok == 'S') {
+ if (!(port->ssl = SSL_new(SSL_context)) ||
+ !SSL_set_fd(port->ssl, port->sock) ||
+ SSL_accept(port->ssl) <= 0)
+ {
+ fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n",
+ ERR_reason_error_string(ERR_get_error()), errno, strerror(errno));
+ return STATUS_ERROR;
+ }
}
#endif
/* ready for the normal startup packet */
/* Could add additional special packet types here */
-#ifdef USE_SSL
-
- /*
- * Any SSL negotiation must have taken place here, so drop the
- * connection ASAP if we require SSL
- */
- if (SecureNetServer && !port->ssl)
- {
- PacketSendError(&port->pktInfo, "Backend requires secure connection.");
- return STATUS_OK;
- }
-#endif
/* Check we can handle the protocol the frontend is using. */
*
* Copyright 2000 by PostgreSQL Global Development Group
*
- * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.34 2000/07/02 15:21:17 petere Exp $
+ * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.35 2000/08/30 14:54:23 momjian Exp $
*/
#include "postgres.h"
static void
showVersion(void);
+#ifdef USE_SSL
+static void
+ printSSLInfo(void);
+#endif
/*
" \\g or terminate with semicolon to execute query\n"
" \\q to quit\n\n", pset.progname);
}
-
+#ifdef USE_SSL
+ printSSLInfo();
+#endif
SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1);
SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2);
SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3);
puts("Read the file COPYRIGHT or use the command \\copyright to see the");
puts("usage and distribution terms.");
}
+
+
+
+/*
+ * printSSLInfo
+ *
+ * Prints information about the current SSL connection, if SSL is in use
+ */
+#ifdef USE_SSL
+static void
+printSSLInfo(void)
+{
+ int sslbits = -1;
+ SSL *ssl;
+
+ ssl = PQgetssl(pset.db);
+ if (!ssl)
+ return; /* no SSL */
+
+ SSL_get_cipher_bits(ssl, &sslbits);
+ printf("SSL enabled connection. Chiper: %s, bits: %i\n\n",
+ SSL_get_cipher(ssl),sslbits);
+}
+#endif
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.132 2000/08/20 10:55:35 petere Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.133 2000/08/30 14:54:23 momjian Exp $
*
*-------------------------------------------------------------------------
*/
#ifdef USE_SSL
static SSL_CTX *SSL_context = NULL;
-
#endif
#define NOTIFYLIST_INITIAL_SIZE 10
{"options", "PGOPTIONS", DefaultOption, NULL,
"Backend-Debug-Options", "D", 40},
+#ifdef USE_SSL
+ {"requiressl", "PGREQUIRESSL", "0", NULL,
+ "Require-SSL", "", 1 },
+#endif
+
/* Terminating entry --- MUST BE LAST */
{NULL, NULL, NULL, NULL,
NULL, NULL, 0}
conn->pguser = tmp ? strdup(tmp) : NULL;
tmp = conninfo_getval(connOptions, "password");
conn->pgpass = tmp ? strdup(tmp) : NULL;
+#ifdef USE_SSL
+ tmp = conninfo_getval(connOptions, "requiressl");
+ conn->require_ssl = tmp ? (tmp[0]=='1'?true:false) : false;
+#endif
/* ----------
* Free the option info - all is in conn now
else
conn->dbName = strdup(dbName);
+
+#ifdef USE_SSL
+ if ((tmp = getenv("PGREQUIRESSL")) != NULL)
+ conn->require_ssl = (tmp[0]=='1')?true:false;
+ else
+ conn->require_ssl = 0;
+#endif
+
if (error)
conn->status = CONNECTION_BAD;
else
goto connect_errReturn;
#endif
-#ifdef USE_SSL
-
- /*
- * This needs to be done before we set into nonblocking, since SSL
- * negotiation does not like that mode
+ /* ----------
+ * Start / make connection. We are hopefully in non-blocking mode
+ * now, but it is possible that:
+ * 1. Older systems will still block on connect, despite the
+ * non-blocking flag. (Anyone know if this is true?)
+ * 2. We are running under Windows, and aren't even trying
+ * to be non-blocking (see above).
+ * 3. We are using SSL.
+ * Thus, we have make arrangements for all eventualities.
+ * ----------
*/
+ if (connect(conn->sock, &conn->raddr.sa, conn->raddr_len) < 0)
+ {
+#ifndef WIN32
+ if (errno == EINPROGRESS || errno == 0)
+#else
+ if (WSAGetLastError() == WSAEINPROGRESS)
+#endif
+ {
+ /*
+ * This is fine - we're in non-blocking mode, and the
+ * connection is in progress.
+ */
+ conn->status = CONNECTION_STARTED;
+ }
+ else
+ {
+ /* Something's gone wrong */
+ printfPQExpBuffer(&conn->errorMessage,
+ "connectDBStart() -- connect() failed: %s\n"
+ "\tIs the postmaster running%s at '%s'\n"
+ "\tand accepting connections on %s '%s'?\n",
+ strerror(errno),
+ (family == AF_INET) ? " (with -i)" : "",
+ conn->pghost ? conn->pghost : "localhost",
+ (family == AF_INET) ?
+ "TCP/IP port" : "Unix socket",
+ conn->pgport);
+ goto connect_errReturn;
+ }
+ }
+ else
+ {
+ /* We're connected already */
+ conn->status = CONNECTION_MADE;
+ }
+
+#ifdef USE_SSL
/* Attempt to negotiate SSL usage */
if (conn->allow_ssl_try)
{
{
/* Received error - probably protocol mismatch */
if (conn->Pfdebug)
- fprintf(conn->Pfdebug, "Postmaster reports error, attempting fallback to pre-6.6.\n");
+ fprintf(conn->Pfdebug, "Postmaster reports error, attempting fallback to pre-7.0.\n");
close(conn->sock);
conn->allow_ssl_try = FALSE;
return connectDBStart(conn);
goto connect_errReturn;
}
}
-#endif
-
- /* ----------
- * Start / make connection. We are hopefully in non-blocking mode
- * now, but it is possible that:
- * 1. Older systems will still block on connect, despite the
- * non-blocking flag. (Anyone know if this is true?)
- * 2. We are running under Windows, and aren't even trying
- * to be non-blocking (see above).
- * 3. We are using SSL.
- * Thus, we have make arrangements for all eventualities.
- * ----------
- */
- if (connect(conn->sock, &conn->raddr.sa, conn->raddr_len) < 0)
+ if (conn->require_ssl && !conn->ssl)
{
-#ifndef WIN32
- if (errno == EINPROGRESS || errno == 0)
-#else
- if (WSAGetLastError() == WSAEINPROGRESS)
+ /* Require SSL, but server does not support/want it */
+ printfPQExpBuffer(&conn->errorMessage,
+ "Server does not support SSL when SSL was required.\n");
+ goto connect_errReturn;
+ }
#endif
- {
- /*
- * This is fine - we're in non-blocking mode, and the
- * connection is in progress.
- */
- conn->status = CONNECTION_STARTED;
- }
- else
- {
- /* Something's gone wrong */
- printfPQExpBuffer(&conn->errorMessage,
- "connectDBStart() -- connect() failed: %s\n"
- "\tIs the postmaster running%s at '%s'\n"
- "\tand accepting connections on %s '%s'?\n",
- strerror(errno),
- (family == AF_INET) ? " (with -i)" : "",
- conn->pghost ? conn->pghost : "localhost",
- (family == AF_INET) ?
- "TCP/IP port" : "Unix socket",
- conn->pgport);
- goto connect_errReturn;
- }
- }
- else
- {
- /* We're connected already */
- conn->status = CONNECTION_MADE;
- }
/*
* This makes the connection non-blocking, for all those cases which
#endif
+#ifdef USE_SSL
+SSL *PQgetssl(PGconn *conn)
+{
+ if (!conn)
+ return NULL;
+ return conn->ssl;
+}
+#endif
+
void
PQtrace(PGconn *conn, FILE *debug_port)
{
projects / postgresql / commitdiff