Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit118ec33

Browse files
Disable all TLS session tickets
OpenSSL supports two types of session tickets for TLSv1.3, statelessand stateful. The option we've used only turns off stateless ticketsleaving stateful tickets active. Use the new API introduced in 1.1.1to disable all types of tickets.Backpatch to all supported versions.Reviewed-by: Heikki Linnakangas <hlinnaka@iki.fi>Reported-by: Andres Freund <andres@anarazel.de>Discussion:https://postgr.es/m/20240617173803.6alnafnxpiqvlh3g@awork3.anarazel.deBackpatch-through: v12
1 parentb7bc06f commit118ec33

File tree

4 files changed

+22
-6
lines changed

4 files changed

+22
-6
lines changed

‎configure

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13310,12 +13310,13 @@ fi
1331013310
done
1331113311

1331213312
# Function introduced in OpenSSL 1.1.1.
13313-
for ac_func in X509_get_signature_info
13313+
for ac_func in X509_get_signature_info SSL_CTX_set_num_tickets
1331413314
do :
13315-
ac_fn_c_check_func "$LINENO" "X509_get_signature_info" "ac_cv_func_X509_get_signature_info"
13316-
if test "x$ac_cv_func_X509_get_signature_info" = xyes; then :
13315+
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
13316+
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
13317+
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
1331713318
cat >>confdefs.h <<_ACEOF
13318-
#defineHAVE_X509_GET_SIGNATURE_INFO 1
13319+
#define`$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
1331913320
_ACEOF
1332013321

1332113322
fi

‎configure.ac

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1359,7 +1359,7 @@ if test "$with_ssl" = openssl ; then
13591359
# function was removed.
13601360
AC_CHECK_FUNCS([CRYPTO_lock])
13611361
# Function introduced in OpenSSL 1.1.1.
1362-
AC_CHECK_FUNCS([X509_get_signature_info])
1362+
AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])
13631363
AC_DEFINE([USE_OPENSSL],1,[Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])
13641364
elif test "$with_ssl" != no ; then
13651365
AC_MSG_ERROR([--with-ssl must specify openssl])

‎src/backend/libpq/be-secure-openssl.c

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -249,8 +249,20 @@ be_tls_init(bool isServerStart)
249249
}
250250
}
251251

252-
/* disallow SSL session tickets */
252+
/*
253+
* Disallow SSL session tickets. OpenSSL use both stateful and stateless
254+
* tickets for TLSv1.3, and stateless ticket for TLSv1.2. SSL_OP_NO_TICKET
255+
* is available since 0.9.8f but only turns off stateless tickets. In
256+
* order to turn off stateful tickets we need SSL_CTX_set_num_tickets,
257+
* which is available since OpenSSL 1.1.1. LibreSSL 3.5.4 (from OpenBSD
258+
* 7.1) introduced this API for compatibility, but doesn't support session
259+
* tickets at all so it's a no-op there.
260+
*/
261+
#ifdefHAVE_SSL_CTX_SET_NUM_TICKETS
262+
SSL_CTX_set_num_tickets(context,0);
263+
#else
253264
SSL_CTX_set_options(context,SSL_OP_NO_TICKET);
265+
#endif
254266

255267
/* disallow SSL session caching, too */
256268
SSL_CTX_set_session_cache_mode(context,SSL_SESS_CACHE_OFF);

‎src/include/pg_config.h.in

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -721,6 +721,9 @@
721721
/* Define to 1 if you have the `X509_get_signature_nid' function. */
722722
#undef HAVE_X509_GET_SIGNATURE_NID
723723

724+
/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
725+
#undef HAVE_SSL_CTX_SET_NUM_TICKETS
726+
724727
/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */
725728
#undef HAVE_X86_64_POPCNTQ
726729

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp