From: Marko Kreen <markokr@gmail.com>
Date: Sat, 12 Mar 2016 12:31:26 +0000 (+0200)
Subject: tls: reject client TLS request on unix socket
X-Git-Tag: pgbouncer_1_8~44
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=89354f95e7742d243f9897715b86d05c40070c8d;p=pgbouncer

tls: reject client TLS request on unix socket
---

diff --git a/src/client.c b/src/client.c
index 24a0981..6e568cd 100644
--- a/src/client.c
+++ b/src/client.c
@@ -469,6 +469,7 @@ static bool handle_client_startup(PgSocket *client, PktHdr *pkt)
 	const char *passwd;
 	const uint8_t *key;
 	bool ok;
+	bool is_unix = pga_is_unix(&client->remote_addr);
 
 	SBuf *sbuf = &client->sbuf;
 
@@ -496,7 +497,7 @@ static bool handle_client_startup(PgSocket *client, PktHdr *pkt)
 			disconnect_client(client, false, "SSL req inside SSL");
 			return false;
 		}
-		if (cf_client_tls_sslmode != SSLMODE_DISABLED) {
+		if (cf_client_tls_sslmode != SSLMODE_DISABLED && !is_unix) {
 			slog_noise(client, "P: SSL ack");
 			if (!sbuf_answer(&client->sbuf, "S", 1)) {
 				disconnect_client(client, false, "failed to ack SSL");
@@ -521,7 +522,7 @@ static bool handle_client_startup(PgSocket *client, PktHdr *pkt)
 		return false;
 	case PKT_STARTUP:
 		/* require SSL except on unix socket */
-		if (cf_client_tls_sslmode >= SSLMODE_REQUIRE && !client->sbuf.tls && !pga_is_unix(&client->remote_addr)) {
+		if (cf_client_tls_sslmode >= SSLMODE_REQUIRE && !client->sbuf.tls && !is_unix) {
 			disconnect_client(client, true, "SSL required");
 			return false;
 		}