From 820f08cabdcbb8998050c3d4873e9619d6d8cba4 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Fri, 24 Jan 2014 19:29:06 -0500 Subject: [PATCH] libpq: Support TLS versions beyond TLSv1. Per report from Jeffrey Walton, libpq has been accepting only TLSv1 exactly. Along the lines of the backend code, libpq will now support new versions as OpenSSL adds them. Marko Kreen, reviewed by Wim Lewis. --- src/interfaces/libpq/fe-secure.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 4411d252552..7e7a4f9ff16 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn) SSL_load_error_strings(); } - SSL_context = SSL_CTX_new(TLSv1_method()); + /* + * Only SSLv23_method() negotiates higher protocol versions; + * alternatives like TLSv1_2_method() permit one specific version. + */ + SSL_context = SSL_CTX_new(SSLv23_method()); if (!SSL_context) { char *err = SSLerrmessage(); @@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn) return -1; } + /* Disable old protocol versions */ + SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + /* * Disable OpenSSL's moving-write-buffer sanity check, because it * causes unnecessary failures in nonblocking send cases.