NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit44e27f0

committed

Support disallowing SSL renegotiation when using LibreSSL

LibreSSL doesn't support the SSL_OP_NO_RENEGOTIATION macro which isused by OpenSSL, instead it has invented a similar one for client-side renegotiation: SSL_OP_NO_CLIENT_RENEGOTIATION. This has beensupported since LibreSSL 2.5.1 which by now can be considered wellbelow the minimum requirement.Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Reviewed-by: Michael Paquier <michael@paquier.xyz>Discussion:https://postgr.es/m/eac70d46-e61c-4d71-a1e1-78e2bfa19485@eisentraut.org

1 parent91d6429 commit44e27f0Copy full SHA for 44e27f0

File tree

1 file changed

+10

-5

lines changed

src/backend/libpq
- be-secure-openssl.c

1 file changed

+10

-5

lines changed

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 10 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -267,15 +267,20 @@ be_tls_init(bool isServerStart)`
`267`	`267`	`/* disallow SSL compression */`
`268`	`268`	`SSL_CTX_set_options(context,SSL_OP_NO_COMPRESSION);`
`269`	`269`
`270`		`-#ifdefSSL_OP_NO_RENEGOTIATION`
`271`		`-`
`272`	`270`	`/*`
`273`		`- * Disallow SSL renegotiation, option available since 1.1.0h. This`
`274`		`- * concerns only TLSv1.2 and older protocol versions, as TLSv1.3 has no`
`275`		`- * support for renegotiation.`
	`271`	`+ * Disallow SSL renegotiation. This concerns only TLSv1.2 and older`
	`272`	`+ * protocol versions, as TLSv1.3 has no support for renegotiation.`
	`273`	`+ * SSL_OP_NO_RENEGOTIATION is available in OpenSSL since 1.1.0h (via a`
	`274`	`+ * backport from 1.1.1). SSL_OP_NO_CLIENT_RENEGOTIATION is available in`
	`275`	`+ * LibreSSL since 2.5.1 disallowing all client-initiated renegotiation`
	`276`	`+ * (this is usually on by default).`
`276`	`277`	`*/`
	`278`	`+#ifdefSSL_OP_NO_RENEGOTIATION`
`277`	`279`	`SSL_CTX_set_options(context,SSL_OP_NO_RENEGOTIATION);`
`278`	`280`	`#endif`
	`281`	`+#ifdefSSL_OP_NO_CLIENT_RENEGOTIATION`
	`282`	`+SSL_CTX_set_options(context,SSL_OP_NO_CLIENT_RENEGOTIATION);`
	`283`	`+#endif`
`279`	`284`
`280`	`285`	`/* set up ephemeral DH and ECDH keys */`
`281`	`286`	`if (!initialize_dh(context,isServerStart))`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit44e27f0

File tree

1 file changed

1 file changed

`‎src/backend/libpq/be-secure-openssl.c`

0 commit comments