Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit 705843d

Browse filesBrowse files
committed
Enhance libpq encryption negotiation tests with new GUC
The new "log_connection_negotiation" server option causes the server to print messages to the log when it receives a SSLRequest or GSSENCRequest packet from the client. Together with "log_connections", it gives a trace of how a connection and encryption is negotiatated. Use the option in the libpq_encryption test, to verify in more detail how libpq negotiates encryption with different gssencmode and sslmode options. This revealed a couple of cases where libpq retries encryption or authentication, when it should already know that it cannot succeed. I marked them with XXX comments in the test tables. They only happen when the connection was going to fail anyway, and only with rare combinations of options, so they're not serious. Discussion: https://www.postgresql.org/message-id/CAEze2Wja8VUoZygCepwUeiCrWa4jP316k0mvJrOW4PFmWP0Tcw@mail.gmail.com
1 parent 20f9b61 commit 705843d
Copy full SHA for 705843d

File tree

Expand file treeCollapse file tree

3 files changed

+255
-159
lines changed
Filter options
Expand file treeCollapse file tree

3 files changed

+255
-159
lines changed

‎src/backend/tcop/backend_startup.c

Copy file name to clipboardExpand all lines: src/backend/tcop/backend_startup.c
+23Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,9 @@
3737
#include "utils/ps_status.h"
3838
#include "utils/timeout.h"
3939

40+
/* GUCs */
41+
bool Trace_connection_negotiation = false;
42+
4043
static void BackendInitialize(ClientSocket *client_sock, CAC_state cac);
4144
static int ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done);
4245
static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options);
@@ -474,6 +477,16 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
474477
SSLok = 'N'; /* No support for SSL */
475478
#endif
476479

480+
if (Trace_connection_negotiation)
481+
{
482+
if (SSLok == 'S')
483+
ereport(LOG,
484+
(errmsg("SSLRequest accepted")));
485+
else
486+
ereport(LOG,
487+
(errmsg("SSLRequest rejected")));
488+
}
489+
477490
retry1:
478491
if (send(port->sock, &SSLok, 1, 0) != 1)
479492
{
@@ -519,6 +532,16 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
519532
GSSok = 'G';
520533
#endif
521534

535+
if (Trace_connection_negotiation)
536+
{
537+
if (GSSok == 'G')
538+
ereport(LOG,
539+
(errmsg("GSSENCRequest accepted")));
540+
else
541+
ereport(LOG,
542+
(errmsg("GSSENCRequest rejected")));
543+
}
544+
522545
while (send(port->sock, &GSSok, 1, 0) != 1)
523546
{
524547
if (errno == EINTR)

‎src/backend/utils/misc/guc_tables.c

Copy file name to clipboardExpand all lines: src/backend/utils/misc/guc_tables.c
+11Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@
9696

9797
/* XXX these should appear in other modules' header files */
9898
extern bool Log_disconnections;
99+
extern bool Trace_connection_negotiation;
99100
extern int CommitDelay;
100101
extern int CommitSiblings;
101102
extern char *default_tablespace;
@@ -1224,6 +1225,16 @@ struct config_bool ConfigureNamesBool[] =
12241225
false,
12251226
NULL, NULL, NULL
12261227
},
1228+
{
1229+
{"trace_connection_negotiation", PGC_POSTMASTER, DEVELOPER_OPTIONS,
1230+
gettext_noop("Log details of pre-authentication connection handshake."),
1231+
NULL,
1232+
GUC_NOT_IN_SAMPLE
1233+
},
1234+
&Trace_connection_negotiation,
1235+
false,
1236+
NULL, NULL, NULL
1237+
},
12271238
{
12281239
{"log_disconnections", PGC_SU_BACKEND, LOGGING_WHAT,
12291240
gettext_noop("Logs end of a session, including duration."),

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.