Remove duplicate setting of SSL_OP_SINGLE_DH_USE option.

tglsfdc · tglsfdc · commit f352f91cbf2f · 2017-08-02T11:28:49.000-04:00
Commit c0a15e0 moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option into a new subroutine initialize_dh(), but forgot to remove it from where it was. SSL_CTX_set_options() is a trivial function, amounting indeed to just "ctx->options |= op", hence there's no reason to contort the code or break separation of concerns to avoid calling it twice. So separating the DH setup from disabling of old protocol versions is a good change, but we need to finish the job. Noted while poking into the question of SSL session tickets.
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
@@ -286,9 +286,7 @@ be_tls_init(bool isServerStart)
 	}
 
 	/* disallow SSL v2/v3 */
-	SSL_CTX_set_options(context,
-						SSL_OP_SINGLE_DH_USE |
-						SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+	SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
 	/* set up ephemeral DH and ECDH keys */
 	if (!initialize_dh(context, isServerStart))

Original file line number	Diff line number	Diff line change
`@@ -286,9 +286,7 @@ be_tls_init(bool isServerStart)`
`286`	`286`	`}`
`287`	`287`
`288`	`288`	`/* disallow SSL v2/v3 */`
`289`		`- SSL_CTX_set_options(context,`
`290`		`- SSL_OP_SINGLE_DH_USE \|`
`291`		`- SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);`
	`289`	`+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);`
`292`	`290`
`293`	`291`	`/* set up ephemeral DH and ECDH keys */`
`294`	`292`	`if (!initialize_dh(context, isServerStart))`