Skip to content

Commit 2c2c5f0

Browse files
tglsfdctglsfdc
committed
Back-patch libpq support for TLS versions beyond v1.
Since 7.3.2, libpq has been coded in such a way that the only SSL protocol it would allow was TLS v1. That approach is looking increasingly obsolete. In commit 820f08c we fixed it to allow TLS >= v1, but did not back-patch the change at the time, partly out of caution and partly because the question was confused by a contemporary server-side change to reject the now-obsolete SSL protocol v3. 9.4 has now been out long enough that it seems safe to assume the change is OK; hence, back-patch into 9.0-9.3. (I also chose to back-patch some relevant comments added by commit 326e1d7, but did *not* change the server behavior; hence, pre-9.4 servers will continue to allow SSL v3, even though no remotely modern client will request it.) Per gripe from Jan Bilek.
1 parent 5b461f2 commit 2c2c5f0

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

src/backend/libpq/be-secure.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -735,6 +735,13 @@ initialize_SSL(void)
735735
#endif
736736
SSL_library_init();
737737
SSL_load_error_strings();
738+
739+
/*
740+
* We use SSLv23_method() because it can negotiate use of the highest
741+
* mutually supported protocol version, while alternatives like
742+
* TLSv1_2_method() permit only one specific version. Note that we
743+
* don't actually allow SSL v2, only v3 and TLS protocols (see below).
744+
*/
738745
SSL_context = SSL_CTX_new(SSLv23_method());
739746
if (!SSL_context)
740747
ereport(FATAL,

src/interfaces/libpq/fe-secure.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -965,7 +965,13 @@ init_ssl_system(PGconn *conn)
965965
SSL_load_error_strings();
966966
}
967967

968-
SSL_context = SSL_CTX_new(TLSv1_method());
968+
/*
969+
* We use SSLv23_method() because it can negotiate use of the highest
970+
* mutually supported protocol version, while alternatives like
971+
* TLSv1_2_method() permit only one specific version. Note that we
972+
* don't actually allow SSL v2 or v3, only TLS protocols (see below).
973+
*/
974+
SSL_context = SSL_CTX_new(SSLv23_method());
969975
if (!SSL_context)
970976
{
971977
char *err = SSLerrmessage();
@@ -980,6 +986,9 @@ init_ssl_system(PGconn *conn)
980986
return -1;
981987
}
982988

989+
/* Disable old protocol versions */
990+
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
991+
983992
/*
984993
* Disable OpenSSL's moving-write-buffer sanity check, because it
985994
* causes unnecessary failures in nonblocking send cases.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy