*** ./backend/postmaster/postmaster.c.orig	Sat Aug 19 14:39:05 2000
--- ./backend/postmaster/postmaster.c	Sat Aug 19 16:17:37 2000
***************
*** 1065,1071 ****
  		char		SSLok;
  
  #ifdef USE_SSL
! 		SSLok = 'S';			/* Support for SSL */
  #else
  		SSLok = 'N';			/* No support for SSL */
  #endif
--- 1065,1074 ----
  		char		SSLok;
  
  #ifdef USE_SSL
! 		if (port->laddr.sa.sa_family == AF_UNIX)
! 		  SSLok = 'N';                  /* No SSL on Unix sockets */
! 		else
! 		  SSLok = 'S';			/* Support for SSL */
  #else
  		SSLok = 'N';			/* No support for SSL */
  #endif
***************
*** 1076,1088 ****
  		}
  
  #ifdef USE_SSL
! 		if (!(port->ssl = SSL_new(SSL_context)) ||
! 			!SSL_set_fd(port->ssl, port->sock) ||
! 			SSL_accept(port->ssl) <= 0)
! 		{
! 			fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n",
! 					ERR_reason_error_string(ERR_get_error()), errno, strerror(errno));
! 			return STATUS_ERROR;
  		}
  #endif
  		/* ready for the normal startup packet */
--- 1079,1094 ----
  		}
  
  #ifdef USE_SSL
! 		if (port->laddr.sa.sa_family != AF_UNIX) {
! 		  /* Don't do SSL over Unix sockets */
! 		  if (!(port->ssl = SSL_new(SSL_context)) ||
! 		      !SSL_set_fd(port->ssl, port->sock) ||
! 		      SSL_accept(port->ssl) <= 0)
! 		    {
! 		      fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n",
! 			      ERR_reason_error_string(ERR_get_error()), errno, strerror(errno));
! 		      return STATUS_ERROR;
! 		    }
  		}
  #endif
  		/* ready for the normal startup packet */
***************
*** 1100,1106 ****
  	 * Any SSL negotiation must have taken place here, so drop the
  	 * connection ASAP if we require SSL
  	 */
! 	if (SecureNetServer && !port->ssl)
  	{
  		PacketSendError(&port->pktInfo, "Backend requires secure connection.");
  		return STATUS_OK;
--- 1106,1112 ----
  	 * Any SSL negotiation must have taken place here, so drop the
  	 * connection ASAP if we require SSL
  	 */
! 	if (SecureNetServer && port->laddr.sa.sa_family == AF_INET && !port->ssl)
  	{
  		PacketSendError(&port->pktInfo, "Backend requires secure connection.");
  		return STATUS_OK;
***************
*** 2078,2090 ****
  		fprintf(stderr, "Failed to create SSL context: %s\n", ERR_reason_error_string(ERR_get_error()));
  		exit(1);
  	}
! 	snprintf(fnbuf, sizeof(fnbuf), "%s/server.crt", DataDir);
  	if (!SSL_CTX_use_certificate_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
  	{
  		fprintf(stderr, "Failed to load server certificate (%s): %s\n", fnbuf, ERR_reason_error_string(ERR_get_error()));
  		exit(1);
  	}
! 	snprintf(fnbuf, sizeof(fnbuf), "%s/server.key", DataDir);
  	if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
  	{
  		fprintf(stderr, "Failed to load private key file (%s): %s\n", fnbuf, ERR_reason_error_string(ERR_get_error()));
--- 2084,2096 ----
  		fprintf(stderr, "Failed to create SSL context: %s\n", ERR_reason_error_string(ERR_get_error()));
  		exit(1);
  	}
! 	snprintf(fnbuf, sizeof(fnbuf), "%s/global/server.crt", DataDir);
  	if (!SSL_CTX_use_certificate_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
  	{
  		fprintf(stderr, "Failed to load server certificate (%s): %s\n", fnbuf, ERR_reason_error_string(ERR_get_error()));
  		exit(1);
  	}
! 	snprintf(fnbuf, sizeof(fnbuf), "%s/global/server.key", DataDir);
  	if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
  	{
  		fprintf(stderr, "Failed to load private key file (%s): %s\n", fnbuf, ERR_reason_error_string(ERR_get_error()));
*** ./backend/utils/adt/Makefile.orig	Sat Aug 19 15:12:16 2000
--- ./backend/utils/adt/Makefile	Sat Aug 19 15:12:27 2000
***************
*** 24,30 ****
  	tid.o timestamp.o varbit.o varchar.o varlena.o version.o \
  	network.o mac.o inet_net_ntop.o inet_net_pton.o \
  	ri_triggers.o pg_lzcompress.o pg_locale.o formatting.o \
! 	ascii.o
  
  all: SUBSYS.o
  
--- 24,30 ----
  	tid.o timestamp.o varbit.o varchar.o varlena.o version.o \
  	network.o mac.o inet_net_ntop.o inet_net_pton.o \
  	ri_triggers.o pg_lzcompress.o pg_locale.o formatting.o \
! 	ascii.o ssl.o
  
  all: SUBSYS.o
  
*** ./backend/utils/adt/ssl.c.orig	Sat Aug 19 15:08:47 2000
--- ./backend/utils/adt/ssl.c	Sat Aug 19 16:50:53 2000
***************
*** 0 ****
--- 1,46 ----
+ /*-------------------------------------------------------------------------
+  *
+  * ssl.c
+  *	 Returns information about SSL on the active connection
+  *
+  * IDENTIFICATION
+  *
+  * $Header$
+  *
+  *-------------------------------------------------------------------------
+  */
+ 
+ #include "postgres.h"
+ 
+ #include "utils/builtins.h"
+ #include "libpq/libpq-be.h"
+ #include "miscadmin.h"
+ 
+ Datum pgsql_sslinfo(PG_FUNCTION_ARGS)
+ {
+   char retstr[256];
+   int n;
+   text *ret;
+ 
+ #ifdef USE_SSL
+   if (!MyProcPort->ssl) {
+     strcpy(retstr, "SSL not active on connection.");
+   }
+   else {
+     int sslbits;
+     SSL_get_cipher_bits(MyProcPort->ssl, &sslbits);
+     snprintf(retstr, sizeof(retstr)-1, "SSL cipher: %s, bits: %i", SSL_get_cipher(MyProcPort->ssl), sslbits);
+   }
+ #else
+   strcpy(retstr, "SSL not supported by this server.");
+ #endif
+ 
+   n = strlen(retstr);
+   ret = (text *) palloc(n + VARHDRSZ);
+ 
+   VARATT_SIZEP(ret) = n + VARHDRSZ;
+   memcpy(VARDATA(ret), retstr, n);
+ 
+   PG_RETURN_TEXT_P(ret);
+ }
+ 
*** ./include/catalog/pg_proc.h.orig	Sat Aug 19 15:35:20 2000
--- ./include/catalog/pg_proc.h	Sat Aug 19 16:25:32 2000
***************
*** 209,214 ****
--- 209,215 ----
  DESCR("not equal");
  DATA(insert OID =  89 (  version		   PGUID 12 f t f t 0 f 25 "" 100 0 0 100 pgsql_version - ));
  DESCR("PostgreSQL version string");
+ DATA(insert OID = 1874 (  sslinfo                  PGUID 12 f t f t 0 f 25 "" 100 0 0 100 pgsql_sslinfo - ));
  
  DATA(insert OID = 1265 (  rtcostestimate   PGUID 12 f t f t 7 f 0 "0 0 0 0 0 0 0" 100 0 0 100  rtcostestimate - ));
  DESCR("r-tree cost estimator");
*** ./include/utils/builtins.h.orig	Sat Aug 19 15:34:36 2000
--- ./include/utils/builtins.h	Sat Aug 19 15:35:02 2000
***************
*** 428,433 ****
--- 428,436 ----
  /* version.c */
  extern Datum pgsql_version(PG_FUNCTION_ARGS);
  
+ /* ssl.c */
+ extern Datum pgsql_sslinfo(PG_FUNCTION_ARGS);
+ 
  /* like.c */
  extern Datum namelike(PG_FUNCTION_ARGS);
  extern Datum namenlike(PG_FUNCTION_ARGS);
*** ./interfaces/libpq/fe-connect.c.orig	Sat Aug 19 14:55:23 2000
--- ./interfaces/libpq/fe-connect.c	Sat Aug 19 15:04:46 2000
***************
*** 781,793 ****
  		goto connect_errReturn;
  #endif
  
- #ifdef USE_SSL
  
! 	/*
! 	 * This needs to be done before we set into nonblocking, since SSL
! 	 * negotiation does not like that mode
  	 */
  
  	/* Attempt to negotiate SSL usage */
  	if (conn->allow_ssl_try)
  	{
--- 781,836 ----
  		goto connect_errReturn;
  #endif
  
  
! 	/* ----------
! 	 * Start / make connection.  We are hopefully in non-blocking mode
! 	 * now, but it is possible that:
! 	 *	 1. Older systems will still block on connect, despite the
! 	 *		non-blocking flag. (Anyone know if this is true?)
! 	 *	 2. We are running under Windows, and aren't even trying
! 	 *		to be non-blocking (see above).
! 	 *	 3. We are using SSL.
! 	 * Thus, we have make arrangements for all eventualities.
! 	 * ----------
  	 */
+ 	if (connect(conn->sock, &conn->raddr.sa, conn->raddr_len) < 0)
+ 	{
+ #ifndef WIN32
+ 		if (errno == EINPROGRESS || errno == 0)
+ #else
+ 		if (WSAGetLastError() == WSAEINPROGRESS)
+ #endif
+ 		{
+ 
+ 			/*
+ 			 * This is fine - we're in non-blocking mode, and the
+ 			 * connection is in progress.
+ 			 */
+ 			conn->status = CONNECTION_STARTED;
+ 		}
+ 		else
+ 		{
+ 			/* Something's gone wrong */
+ 			printfPQExpBuffer(&conn->errorMessage,
+ 							  "connectDBStart() -- connect() failed: %s\n"
+ 							  "\tIs the postmaster running%s at '%s'\n"
+ 							  "\tand accepting connections on %s '%s'?\n",
+ 							  strerror(errno),
+ 							  (family == AF_INET) ? " (with -i)" : "",
+ 							  conn->pghost ? conn->pghost : "localhost",
+ 							  (family == AF_INET) ?
+ 							  "TCP/IP port" : "Unix socket",
+ 							  conn->pgport);
+ 			goto connect_errReturn;
+ 		}
+ 	}
+ 	else
+ 	{
+ 		/* We're connected already */
+ 		conn->status = CONNECTION_MADE;
+ 	}
  
+ #ifdef USE_SSL
  	/* Attempt to negotiate SSL usage */
  	if (conn->allow_ssl_try)
  	{
***************
*** 850,903 ****
  		}
  	}
  #endif
- 
- 	/* ----------
- 	 * Start / make connection.  We are hopefully in non-blocking mode
- 	 * now, but it is possible that:
- 	 *	 1. Older systems will still block on connect, despite the
- 	 *		non-blocking flag. (Anyone know if this is true?)
- 	 *	 2. We are running under Windows, and aren't even trying
- 	 *		to be non-blocking (see above).
- 	 *	 3. We are using SSL.
- 	 * Thus, we have make arrangements for all eventualities.
- 	 * ----------
- 	 */
- 	if (connect(conn->sock, &conn->raddr.sa, conn->raddr_len) < 0)
- 	{
- #ifndef WIN32
- 		if (errno == EINPROGRESS || errno == 0)
- #else
- 		if (WSAGetLastError() == WSAEINPROGRESS)
- #endif
- 		{
- 
- 			/*
- 			 * This is fine - we're in non-blocking mode, and the
- 			 * connection is in progress.
- 			 */
- 			conn->status = CONNECTION_STARTED;
- 		}
- 		else
- 		{
- 			/* Something's gone wrong */
- 			printfPQExpBuffer(&conn->errorMessage,
- 							  "connectDBStart() -- connect() failed: %s\n"
- 							  "\tIs the postmaster running%s at '%s'\n"
- 							  "\tand accepting connections on %s '%s'?\n",
- 							  strerror(errno),
- 							  (family == AF_INET) ? " (with -i)" : "",
- 							  conn->pghost ? conn->pghost : "localhost",
- 							  (family == AF_INET) ?
- 							  "TCP/IP port" : "Unix socket",
- 							  conn->pgport);
- 			goto connect_errReturn;
- 		}
- 	}
- 	else
- 	{
- 		/* We're connected already */
- 		conn->status = CONNECTION_MADE;
- 	}
  
  	/*
  	 * This makes the connection non-blocking, for all those cases which
--- 893,898 ----