mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-25 13:17:41 +03:00 
			
		
		
		
	Disallow use of SSL v3 protocol in the server as well as in libpq.
Commit 820f08cabd claimed to make the server
and libpq handle SSL protocol versions identically, but actually the server
was still accepting SSL v3 protocol while libpq wasn't.  Per discussion,
SSL v3 is obsolete, and there's no good reason to continue to accept it.
So make the code really equivalent on both sides.  The behavior now is
that we use the highest mutually-supported TLS protocol version.
Marko Kreen, some comment-smithing by me
			
			
This commit is contained in:
		| @@ -822,6 +822,13 @@ initialize_SSL(void) | |||||||
| #endif | #endif | ||||||
| 		SSL_library_init(); | 		SSL_library_init(); | ||||||
| 		SSL_load_error_strings(); | 		SSL_load_error_strings(); | ||||||
|  |  | ||||||
|  | 		/* | ||||||
|  | 		 * We use SSLv23_method() because it can negotiate use of the highest | ||||||
|  | 		 * mutually supported protocol version, while alternatives like | ||||||
|  | 		 * TLSv1_2_method() permit only one specific version.  Note that we | ||||||
|  | 		 * don't actually allow SSL v2 or v3, only TLS protocols (see below). | ||||||
|  | 		 */ | ||||||
| 		SSL_context = SSL_CTX_new(SSLv23_method()); | 		SSL_context = SSL_CTX_new(SSLv23_method()); | ||||||
| 		if (!SSL_context) | 		if (!SSL_context) | ||||||
| 			ereport(FATAL, | 			ereport(FATAL, | ||||||
| @@ -880,9 +887,11 @@ initialize_SSL(void) | |||||||
| 							SSLerrmessage()))); | 							SSLerrmessage()))); | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	/* set up ephemeral DH keys, and disallow SSL v2 while at it */ | 	/* set up ephemeral DH keys, and disallow SSL v2/v3 while at it */ | ||||||
| 	SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb); | 	SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb); | ||||||
| 	SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2); | 	SSL_CTX_set_options(SSL_context, | ||||||
|  | 						SSL_OP_SINGLE_DH_USE | | ||||||
|  | 						SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | ||||||
|  |  | ||||||
| 	/* set up ephemeral ECDH keys */ | 	/* set up ephemeral ECDH keys */ | ||||||
| 	initialize_ecdh(); | 	initialize_ecdh(); | ||||||
|   | |||||||
| @@ -967,8 +967,10 @@ init_ssl_system(PGconn *conn) | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		/* | 		/* | ||||||
| 		 * Only SSLv23_method() negotiates higher protocol versions; | 		 * We use SSLv23_method() because it can negotiate use of the highest | ||||||
| 		 * alternatives like TLSv1_2_method() permit one specific version. | 		 * mutually supported protocol version, while alternatives like | ||||||
|  | 		 * TLSv1_2_method() permit only one specific version.  Note that we | ||||||
|  | 		 * don't actually allow SSL v2 or v3, only TLS protocols (see below). | ||||||
| 		 */ | 		 */ | ||||||
| 		SSL_context = SSL_CTX_new(SSLv23_method()); | 		SSL_context = SSL_CTX_new(SSLv23_method()); | ||||||
| 		if (!SSL_context) | 		if (!SSL_context) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user