NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitcc606af

committed

Disable all TLS session tickets

OpenSSL supports two types of session tickets for TLSv1.3, statelessand stateful. The option we've used only turns off stateless ticketsleaving stateful tickets active. Use the new API introduced in 1.1.1to disable all types of tickets.Backpatch to all supported versions.Reviewed-by: Heikki Linnakangas <hlinnaka@iki.fi>Reported-by: Andres Freund <andres@anarazel.de>Discussion:https://postgr.es/m/20240617173803.6alnafnxpiqvlh3g@awork3.anarazel.deBackpatch-through: v12

1 parent67ab6ed commitcc606afCopy full SHA for cc606af

File tree

5 files changed

+23

-6

lines changed

configure
configure.ac
meson.build
src
- backend/libpq
  - be-secure-openssl.c
- include
  - pg_config.h.in

5 files changed

+23

-6

lines changed

`‎configure`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -13009,12 +13009,13 @@ fi`
`13009`	`13009`	`done`
`13010`	`13010`
`13011`	`13011`	`# Function introduced in OpenSSL 1.1.1.`
`13012`		`- for ac_func in X509_get_signature_info`
	`13012`	`+ for ac_func in X509_get_signature_info SSL_CTX_set_num_tickets`
`13013`	`13013`	`do :`
`13014`		`- ac_fn_c_check_func "$LINENO" "X509_get_signature_info" "ac_cv_func_X509_get_signature_info"`
`13015`		`-if test "x$ac_cv_func_X509_get_signature_info" = xyes; then :`
	`13014`	+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" \| $as_tr_sh`
	`13015`	`+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"`
	`13016`	`+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :`
`13016`	`13017`	`cat >>confdefs.h <<_ACEOF`
`13017`		`-#defineHAVE_X509_GET_SIGNATURE_INFO 1`
	`13018`	+#define`$as_echo "HAVE_$ac_func" \| $as_tr_cpp` 1
`13018`	`13019`	`_ACEOF`
`13019`	`13020`
`13020`	`13021`	`fi`

`‎configure.ac`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1391,7 +1391,7 @@ if test "$with_ssl" = openssl ; then`
`1391`	`1391`	`# function was removed.`
`1392`	`1392`	`AC_CHECK_FUNCS([CRYPTO_lock])`
`1393`	`1393`	`# Function introduced in OpenSSL 1.1.1.`
`1394`		`-AC_CHECK_FUNCS([X509_get_signature_info])`
	`1394`	`+AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])`
`1395`	`1395`	`AC_DEFINE([USE_OPENSSL],1,[Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])`
`1396`	`1396`	`elif test "$with_ssl" != no ; then`
`1397`	`1397`	`AC_MSG_ERROR([--with-ssl must specify openssl])`

`‎meson.build`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1369,6 +1369,7 @@ if sslopt in ['auto', 'openssl']`
`1369`	`1369`
`1370`	`1370`	`# Function introduced in OpenSSL 1.1.1`
`1371`	`1371`	`['X509_get_signature_info'],`
	`1372`	`+ ['SSL_CTX_set_num_tickets'],`
`1372`	`1373`	`]`
`1373`	`1374`
`1374`	`1375`	`are_openssl_funcs_complete=true`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 13 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -252,8 +252,20 @@ be_tls_init(bool isServerStart)`
`252`	`252`	`}`
`253`	`253`	`}`
`254`	`254`
`255`		`-/* disallow SSL session tickets */`
	`255`	`+/*`
	`256`	`+ * Disallow SSL session tickets. OpenSSL use both stateful and stateless`
	`257`	`+ * tickets for TLSv1.3, and stateless ticket for TLSv1.2. SSL_OP_NO_TICKET`
	`258`	`+ * is available since 0.9.8f but only turns off stateless tickets. In`
	`259`	`+ * order to turn off stateful tickets we need SSL_CTX_set_num_tickets,`
	`260`	`+ * which is available since OpenSSL 1.1.1. LibreSSL 3.5.4 (from OpenBSD`
	`261`	`+ * 7.1) introduced this API for compatibility, but doesn't support session`
	`262`	`+ * tickets at all so it's a no-op there.`
	`263`	`+ */`
	`264`	`+#ifdefHAVE_SSL_CTX_SET_NUM_TICKETS`
	`265`	`+SSL_CTX_set_num_tickets(context,0);`
	`266`	`+#else`
`256`	`267`	`SSL_CTX_set_options(context,SSL_OP_NO_TICKET);`
	`268`	`+#endif`
`257`	`269`
`258`	`270`	`/* disallow SSL session caching, too */`
`259`	`271`	`SSL_CTX_set_session_cache_mode(context,SSL_SESS_CACHE_OFF);`

`‎src/include/pg_config.h.in`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -529,6 +529,9 @@`
`529`	`529`	/* Define to 1 if you have the `X509_get_signature_nid' function. */
`530`	`530`	`#undef HAVE_X509_GET_SIGNATURE_NID`
`531`	`531`
	`532`	+/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
	`533`	`+#undef HAVE_SSL_CTX_SET_NUM_TICKETS`
	`534`	`+`
`532`	`535`	`/* Define to 1 if the assembler supports X86_64's POPCNTQ instruction. */`
`533`	`536`	`#undef HAVE_X86_64_POPCNTQ`
`534`	`537`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitcc606af

File tree

5 files changed

5 files changed

`‎configure`

`‎configure.ac`

`‎meson.build`

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/include/pg_config.h.in`

0 commit comments