From 4eaa430e3ef06162a5655dc7baff9be40f2e1cce Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Tue, 16 Feb 2021 16:01:08 +0100
Subject: [PATCH] Refactor check for SSL connection

PQgetssl has been discouraged from use since postgres 9.5 since it
will risk false negatives if postgres supports other TLS libraries
than OpenSSL. Refactor to use PQsslInUse which has been available
since 9.5 for just this purpose.
---
 configure.ac | 2 ++
 connection.c | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 8453a29..090972a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -258,6 +258,8 @@ AC_C_CONST
 AC_FUNC_STRERROR_R
 AC_CHECK_FUNCS(strtoul strtoll strlcat mbstowcs wcstombs mbrtoc16 c16rtomb)
 
+AC_CHECK_FUNCS(PQsslInUse)
+
 if test "$enable_pthreads" = yes; then
   AC_CHECK_FUNCS(localtime_r strtok_r pthread_mutexattr_settype)
 
diff --git a/connection.c b/connection.c
index 070e043..02794ff 100644
--- a/connection.c
+++ b/connection.c
@@ -3263,10 +3263,13 @@ DLL_DECLARE int PgDtc_is_recovery_available(void *self, char *reason, int rsize)
 	/*
 	 * Did we use SSL client certificate, SSPI, Kerberos or similar
 	 * authentication methods?
-	 * There seems no way to check it directly.
 	 */
 	doubtCert = FALSE;
+#ifdef HAVE_PQSSLINUSE
+	if (PQsslInUse(conn->pqconn))
+#else
 	if (PQgetssl(conn->pqconn) != NULL)
+#endif
 		doubtCert = TRUE;
 
 	nameSize = sizeof(loginUser);
-- 
2.39.5