Content-Length: 322587 | pFad | http://github.com/postgrespro/postgres/commit/4dddf8552801ef013c40b22915928559a6fb22a0

DC Back-patch libpq support for TLS versions beyond v1. · postgrespro/postgres@4dddf85 · GitHub
Skip to content

Commit 4dddf85

Browse files
tglsfdctglsfdc
committed
Back-patch libpq support for TLS versions beyond v1.
Since 7.3.2, libpq has been coded in such a way that the only SSL protocol it would allow was TLS v1. That approach is looking increasingly obsolete. In commit 820f08c we fixed it to allow TLS >= v1, but did not back-patch the change at the time, partly out of caution and partly because the question was confused by a contemporary server-side change to reject the now-obsolete SSL protocol v3. 9.4 has now been out long enough that it seems safe to assume the change is OK; hence, back-patch into 9.0-9.3. (I also chose to back-patch some relevant comments added by commit 326e1d7, but did *not* change the server behavior; hence, pre-9.4 servers will continue to allow SSL v3, even though no remotely modern client will request it.) Per gripe from Jan Bilek.
1 parent 760e7ad commit 4dddf85

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

src/backend/libpq/be-secure.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -735,6 +735,13 @@ initialize_SSL(void)
735735
#endif
736736
SSL_library_init();
737737
SSL_load_error_strings();
738+
739+
/*
740+
* We use SSLv23_method() because it can negotiate use of the highest
741+
* mutually supported protocol version, while alternatives like
742+
* TLSv1_2_method() permit only one specific version. Note that we
743+
* don't actually allow SSL v2, only v3 and TLS protocols (see below).
744+
*/
738745
SSL_context = SSL_CTX_new(SSLv23_method());
739746
if (!SSL_context)
740747
ereport(FATAL,

src/interfaces/libpq/fe-secure.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -965,7 +965,13 @@ init_ssl_system(PGconn *conn)
965965
SSL_load_error_strings();
966966
}
967967

968-
SSL_context = SSL_CTX_new(TLSv1_method());
968+
/*
969+
* We use SSLv23_method() because it can negotiate use of the highest
970+
* mutually supported protocol version, while alternatives like
971+
* TLSv1_2_method() permit only one specific version. Note that we
972+
* don't actually allow SSL v2 or v3, only TLS protocols (see below).
973+
*/
974+
SSL_context = SSL_CTX_new(SSLv23_method());
969975
if (!SSL_context)
970976
{
971977
char *err = SSLerrmessage();
@@ -980,6 +986,9 @@ init_ssl_system(PGconn *conn)
980986
return -1;
981987
}
982988

989+
/* Disable old protocol versions */
990+
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
991+
983992
/*
984993
* Disable OpenSSL's moving-write-buffer sanity check, because it
985994
* causes unnecessary failures in nonblocking send cases.

0 commit comments

Comments
 (0)








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/postgrespro/postgres/commit/4dddf8552801ef013c40b22915928559a6fb22a0

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy