From 9333174af47560677b62ae5025e4414f860a84a7 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 19 Aug 2024 12:55:11 +0200 Subject: [PATCH] Fix regression in TLS session ticket disabling Commit 274bbced disabled session tickets for TLSv1.3 on top of the already disabled TLSv1.2 session tickets, but accidentally caused a regression where TLSv1.2 session tickets were incorrectly sent. Fix by unconditionally disabling TLSv1.2 session tickets and only disable TLSv1.3 tickets when the right version of OpenSSL is used. Backpatch to all supported branches. Reported-by: Cameron Vogt Reported-by: Fire Emerald Reviewed-by: Jacob Champion Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com Backpatch-through: v12 --- src/backend/libpq/be-secure-openssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 4e07ad8cd19..49803b37416 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -263,9 +263,8 @@ be_tls_init(bool isServerStart) */ #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS SSL_CTX_set_num_tickets(context, 0); -#else - SSL_CTX_set_options(context, SSL_OP_NO_TICKET); #endif + SSL_CTX_set_options(context, SSL_OP_NO_TICKET); /* disallow SSL session caching, too */ SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);