Skip to content

Commit c6b7b9a

Browse files
tglsfdctglsfdc
committed
Back-patch libpq support for TLS versions beyond v1.
Since 7.3.2, libpq has been coded in such a way that the only SSL protocol it would allow was TLS v1. That approach is looking increasingly obsolete. In commit 820f08c we fixed it to allow TLS >= v1, but did not back-patch the change at the time, partly out of caution and partly because the question was confused by a contemporary server-side change to reject the now-obsolete SSL protocol v3. 9.4 has now been out long enough that it seems safe to assume the change is OK; hence, back-patch into 9.0-9.3. (I also chose to back-patch some relevant comments added by commit 326e1d7, but did *not* change the server behavior; hence, pre-9.4 servers will continue to allow SSL v3, even though no remotely modern client will request it.) Per gripe from Jan Bilek.
1 parent 70f2e3e commit c6b7b9a

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

src/backend/libpq/be-secure.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -735,6 +735,13 @@ initialize_SSL(void)
735735
#endif
736736
SSL_library_init();
737737
SSL_load_error_strings();
738+
739+
/*
740+
* We use SSLv23_method() because it can negotiate use of the highest
741+
* mutually supported protocol version, while alternatives like
742+
* TLSv1_2_method() permit only one specific version. Note that we
743+
* don't actually allow SSL v2, only v3 and TLS protocols (see below).
744+
*/
738745
SSL_context = SSL_CTX_new(SSLv23_method());
739746
if (!SSL_context)
740747
ereport(FATAL,

src/interfaces/libpq/fe-secure.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -966,7 +966,13 @@ init_ssl_system(PGconn *conn)
966966
SSL_load_error_strings();
967967
}
968968

969-
SSL_context = SSL_CTX_new(TLSv1_method());
969+
/*
970+
* We use SSLv23_method() because it can negotiate use of the highest
971+
* mutually supported protocol version, while alternatives like
972+
* TLSv1_2_method() permit only one specific version. Note that we
973+
* don't actually allow SSL v2 or v3, only TLS protocols (see below).
974+
*/
975+
SSL_context = SSL_CTX_new(SSLv23_method());
970976
if (!SSL_context)
971977
{
972978
char *err = SSLerrmessage();
@@ -981,6 +987,9 @@ init_ssl_system(PGconn *conn)
981987
return -1;
982988
}
983989

990+
/* Disable old protocol versions */
991+
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
992+
984993
/*
985994
* Disable OpenSSL's moving-write-buffer sanity check, because it
986995
* causes unnecessary failures in nonblocking send cases.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy