diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-07-26 11:09:45 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2024-07-26 11:09:45 +0200 |
| commit | 118ec331bfb7c781c03613de22de015229535a3b (patch) | |
| tree | e3323b4122cf8ef634787f3a159f1847c26bc349 /src/backend | |
| parent | b7bc06f0cb5fb8add8ae4a79671f8a8611137531 (diff) | |
| download | postgresql-118ec331bfb7c781c03613de22de015229535a3b.tar.gz postgresql-118ec331bfb7c781c03613de22de015229535a3b.zip | |
Disable all TLS session tickets
OpenSSL supports two types of session tickets for TLSv1.3, stateless
and stateful. The option we've used only turns off stateless tickets
leaving stateful tickets active. Use the new API introduced in 1.1.1
to disable all types of tickets.
Backpatch to all supported versions.
Reviewed-by: Heikki Linnakangas <hlinnaka@iki.fi>
Reported-by: Andres Freund <andres@anarazel.de>
Discussion: https://postgr.es/m/20240617173803.6alnafnxpiqvlh3g@awork3.anarazel.de
Backpatch-through: v12
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 4c7e16ca2ca..ef1b65b443b 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -249,8 +249,20 @@ be_tls_init(bool isServerStart) } } - /* disallow SSL session tickets */ + /* + * Disallow SSL session tickets. OpenSSL use both stateful and stateless + * tickets for TLSv1.3, and stateless ticket for TLSv1.2. SSL_OP_NO_TICKET + * is available since 0.9.8f but only turns off stateless tickets. In + * order to turn off stateful tickets we need SSL_CTX_set_num_tickets, + * which is available since OpenSSL 1.1.1. LibreSSL 3.5.4 (from OpenBSD + * 7.1) introduced this API for compatibility, but doesn't support session + * tickets at all so it's a no-op there. + */ +#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS + SSL_CTX_set_num_tickets(context, 0); +#else SSL_CTX_set_options(context, SSL_OP_NO_TICKET); +#endif /* disallow SSL session caching, too */ SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF); |