database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-03 09:13:20 +03:00
Code Activity

Back-patch libpq support for TLS versions beyond v1.

Browse Source 
Since 7.3.2, libpq has been coded in such a way that the only SSL protocol
it would allow was TLS v1.  That approach is looking increasingly obsolete.
In commit 820f08cabd we fixed it to allow TLS >= v1, but did not
back-patch the change at the time, partly out of caution and partly because
the question was confused by a contemporary server-side change to reject
the now-obsolete SSL protocol v3.  9.4 has now been out long enough that
it seems safe to assume the change is OK; hence, back-patch into 9.0-9.3.

(I also chose to back-patch some relevant comments added by commit
326e1d73c4, but did *not* change the server behavior; hence, pre-9.4
servers will continue to allow SSL v3, even though no remotely modern
client will request it.)

Per gripe from Jan Bilek.
This commit is contained in:
Tom Lane
2015-05-21 20:41:55 -04:00
parent 5b461f239e
commit 2c2c5f0e02
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/backend/libpq/be-secure.c
View File

@@ -735,6 +735,13 @@ initialize_SSL(void)
#endif #endif
SSL_library_init(); SSL_library_init();
SSL_load_error_strings(); SSL_load_error_strings();
/*
* We use SSLv23_method() because it can negotiate use of the highest
* mutually supported protocol version, while alternatives like
* TLSv1_2_method() permit only one specific version. Note that we
* don't actually allow SSL v2, only v3 and TLS protocols (see below).
*/
SSL_context = SSL_CTX_new(SSLv23_method()); SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context) if (!SSL_context)
ereport(FATAL, ereport(FATAL,

11
src/interfaces/libpq/fe-secure.c
View File

@@ -965,7 +965,13 @@ init_ssl_system(PGconn *conn)
SSL_load_error_strings(); SSL_load_error_strings();
} }
SSL_context = SSL_CTX_new(TLSv1_method()); /*
* We use SSLv23_method() because it can negotiate use of the highest
* mutually supported protocol version, while alternatives like
* TLSv1_2_method() permit only one specific version. Note that we
* don't actually allow SSL v2 or v3, only TLS protocols (see below).
*/
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context) if (!SSL_context)
{ {
char *err = SSLerrmessage(); char *err = SSLerrmessage();
@@ -980,6 +986,9 @@ init_ssl_system(PGconn *conn)
return -1; return -1;
} }
/* Disable old protocol versions */
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* /*
* Disable OpenSSL's moving-write-buffer sanity check, because it * Disable OpenSSL's moving-write-buffer sanity check, because it
* causes unnecessary failures in nonblocking send cases. * causes unnecessary failures in nonblocking send cases.