Use abstracted SSL API in server connection log messages

The existing "connection authorized" server log messages used OpenSSL
API calls directly, even though similar abstracted API calls exist.
Change to use the latter instead.

Change the function prototype for the functions that return the TLS
version and the cipher to return const char * directly instead of
copying into a buffer.  That makes them slightly easier to use.

Add bits= to the message.  psql shows that, so we might as well show the
same information on the client and server.

Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 02601da6c8211e3d48624e5ba6bb012ce58ac6a4..e1ddfb3c16e3e072cbf96e18e0424a0b7ea1a51b 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1047,22 +1047,22 @@ be_tls_get_compression(Port *port)
                return false;
 }
 
-void
-be_tls_get_version(Port *port, char *ptr, size_t len)
+const char *
+be_tls_get_version(Port *port)
 {
        if (port->ssl)
-               strlcpy(ptr, SSL_get_version(port->ssl), len);
+               return SSL_get_version(port->ssl);
        else
-               ptr[0] = '\0';
+               return NULL;
 }
 
-void
-be_tls_get_cipher(Port *port, char *ptr, size_t len)
+const char *
+be_tls_get_cipher(Port *port)
 {
        if (port->ssl)
-               strlcpy(ptr, SSL_get_cipher(port->ssl), len);
+               return SSL_get_cipher(port->ssl);
        else
-               ptr[0] = '\0';
+               return NULL;
 }
 
 void

diff --git a/src/backend/postmaster/pgstat.c b/src/backend/postmaster/pgstat.c
index d13011454c61c3e7bc46b867fa53f89196790f27..605b1832be6e98ebc07e46f6a1d7a26a180ab333 100644 (file)
--- a/src/backend/postmaster/pgstat.c
+++ b/src/backend/postmaster/pgstat.c
@@ -2909,8 +2909,8 @@ pgstat_bestart(void)
                beentry->st_ssl = true;
                beentry->st_sslstatus->ssl_bits = be_tls_get_cipher_bits(MyProcPort);
                beentry->st_sslstatus->ssl_compression = be_tls_get_compression(MyProcPort);
-               be_tls_get_version(MyProcPort, beentry->st_sslstatus->ssl_version, NAMEDATALEN);
-               be_tls_get_cipher(MyProcPort, beentry->st_sslstatus->ssl_cipher, NAMEDATALEN);
+               strlcpy(beentry->st_sslstatus->ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN);
+               strlcpy(beentry->st_sslstatus->ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN);
                be_tls_get_peerdn_name(MyProcPort, beentry->st_sslstatus->ssl_clientdn, NAMEDATALEN);
        }
        else

diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index f9b330998d324e1a0857803ee539b7d31df3a8cd..484628987f44ea0b306afe7d2d03fa6f9891e7fc 100644 (file)
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -246,12 +246,15 @@ PerformAuthentication(Port *port)
        {
                if (am_walsender)
                {
-#ifdef USE_OPENSSL
+#ifdef USE_SSL
                        if (port->ssl_in_use)
                                ereport(LOG,
-                                               (errmsg("replication connection authorized: user=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
-                                                               port->user_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
-                                                               SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
+                                               (errmsg("replication connection authorized: user=%s SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)",
+                                                               port->user_name,
+                                                               be_tls_get_version(port),
+                                                               be_tls_get_cipher(port),
+                                                               be_tls_get_cipher_bits(port),
+                                                               be_tls_get_compression(port) ? _("on") : _("off"))));
                        else
 #endif
                                ereport(LOG,
@@ -260,12 +263,15 @@ PerformAuthentication(Port *port)
                }
                else
                {
-#ifdef USE_OPENSSL
+#ifdef USE_SSL
                        if (port->ssl_in_use)
                                ereport(LOG,
-                                               (errmsg("connection authorized: user=%s database=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
-                                                               port->user_name, port->database_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
-                                                               SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
+                                               (errmsg("connection authorized: user=%s database=%s SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)",
+                                                               port->user_name, port->database_name,
+                                                               be_tls_get_version(port),
+                                                               be_tls_get_cipher(port),
+                                                               be_tls_get_cipher_bits(port),
+                                                               be_tls_get_compression(port) ? _("on") : _("off"))));
                        else
 #endif
                                ereport(LOG,

diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 584f794b9e5892f978803851eaebdbe4bb1bec54..7698cd1f88a766120d3474bc26e0fd569254323e 100644 (file)
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -256,8 +256,8 @@ extern ssize_t be_tls_write(Port *port, void *ptr, size_t len, int *waitfor);
  */
 extern int     be_tls_get_cipher_bits(Port *port);
 extern bool be_tls_get_compression(Port *port);
-extern void be_tls_get_version(Port *port, char *ptr, size_t len);
-extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
+extern const char *be_tls_get_version(Port *port);
+extern const char *be_tls_get_cipher(Port *port);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 
 /*