diff options
| author | Noah Misch <noah@leadboat.com> | 2014-01-24 19:29:06 -0500 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2014-01-24 19:29:06 -0500 |
| commit | 820f08cabdcbb8998050c3d4873e9619d6d8cba4 (patch) | |
| tree | 77bf0ebe78b618ba5ae9203ce8158d2d7ce88779 | |
| parent | 3a5313265d53322519b5edce018ebdea14062bf9 (diff) | |
| download | postgresql-820f08cabdcbb8998050c3d4873e9619d6d8cba4.tar.gz postgresql-820f08cabdcbb8998050c3d4873e9619d6d8cba4.zip | |
libpq: Support TLS versions beyond TLSv1.
Per report from Jeffrey Walton, libpq has been accepting only TLSv1
exactly. Along the lines of the backend code, libpq will now support
new versions as OpenSSL adds them.
Marko Kreen, reviewed by Wim Lewis.
| -rw-r--r-- | src/interfaces/libpq/fe-secure.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 4411d252552..7e7a4f9ff16 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn) SSL_load_error_strings(); } - SSL_context = SSL_CTX_new(TLSv1_method()); + /* + * Only SSLv23_method() negotiates higher protocol versions; + * alternatives like TLSv1_2_method() permit one specific version. + */ + SSL_context = SSL_CTX_new(SSLv23_method()); if (!SSL_context) { char *err = SSLerrmessage(); @@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn) return -1; } + /* Disable old protocol versions */ + SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + /* * Disable OpenSSL's moving-write-buffer sanity check, because it * causes unnecessary failures in nonblocking send cases. |