NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit4dddf85

committed

Back-patch libpq support for TLS versions beyond v1.

Since 7.3.2, libpq has been coded in such a way that the only SSL protocolit would allow was TLS v1. That approach is looking increasingly obsolete.In commit820f08c we fixed it to allow TLS >= v1, but did notback-patch the change at the time, partly out of caution and partly becausethe question was confused by a contemporary server-side change to rejectthe now-obsolete SSL protocol v3. 9.4 has now been out long enough thatit seems safe to assume the change is OK; hence, back-patch into 9.0-9.3.(I also chose to back-patch some relevant comments added by commit326e1d7, but did *not* change the server behavior; hence, pre-9.4servers will continue to allow SSL v3, even though no remotely modernclient will request it.)Per gripe from Jan Bilek.

1 parent760e7ad commit4dddf85Copy full SHA for 4dddf85

File tree

2 files changed

+17

-1

lines changed

src
- backend/libpq
  - be-secure.c
- interfaces/libpq
  - fe-secure.c

2 files changed

+17

-1

lines changed

`‎src/backend/libpq/be-secure.c‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -735,6 +735,13 @@ initialize_SSL(void)`
`735`	`735`	`#endif`
`736`	`736`	`SSL_library_init();`
`737`	`737`	`SSL_load_error_strings();`
	`738`	`+`
	`739`	`+/*`
	`740`	`+ * We use SSLv23_method() because it can negotiate use of the highest`
	`741`	`+ * mutually supported protocol version, while alternatives like`
	`742`	`+ * TLSv1_2_method() permit only one specific version. Note that we`
	`743`	`+ * don't actually allow SSL v2, only v3 and TLS protocols (see below).`
	`744`	`+ */`
`738`	`745`	`SSL_context=SSL_CTX_new(SSLv23_method());`
`739`	`746`	`if (!SSL_context)`
`740`	`747`	`ereport(FATAL,`

`‎src/interfaces/libpq/fe-secure.c‎`

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -965,7 +965,13 @@ init_ssl_system(PGconn *conn)`
`965`	`965`	`SSL_load_error_strings();`
`966`	`966`	`}`
`967`	`967`
`968`		`-SSL_context=SSL_CTX_new(TLSv1_method());`
	`968`	`+/*`
	`969`	`+ * We use SSLv23_method() because it can negotiate use of the highest`
	`970`	`+ * mutually supported protocol version, while alternatives like`
	`971`	`+ * TLSv1_2_method() permit only one specific version. Note that we`
	`972`	`+ * don't actually allow SSL v2 or v3, only TLS protocols (see below).`
	`973`	`+ */`
	`974`	`+SSL_context=SSL_CTX_new(SSLv23_method());`
`969`	`975`	`if (!SSL_context)`
`970`	`976`	`{`
`971`	`977`	`char*err=SSLerrmessage();`
`@@ -980,6 +986,9 @@ init_ssl_system(PGconn *conn)`
`980`	`986`	`return-1;`
`981`	`987`	`}`
`982`	`988`
	`989`	`+/* Disable old protocol versions */`
	`990`	`+SSL_CTX_set_options(SSL_context,SSL_OP_NO_SSLv2 \|SSL_OP_NO_SSLv3);`
	`991`	`+`
`983`	`992`	`/*`
`984`	`993`	`* Disable OpenSSL's moving-write-buffer sanity check, because it`
`985`	`994`	`* causes unnecessary failures in nonblocking send cases.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4dddf85

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure.c‎`

`‎src/interfaces/libpq/fe-secure.c‎`

0 commit comments