aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/backend/libpq/be-secure-openssl.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 29c9af1aabf..55b2cad7459 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -267,15 +267,20 @@ be_tls_init(bool isServerStart)
/* disallow SSL compression */
SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION);
-#ifdef SSL_OP_NO_RENEGOTIATION
-
/*
- * Disallow SSL renegotiation, option available since 1.1.0h. This
- * concerns only TLSv1.2 and older protocol versions, as TLSv1.3 has no
- * support for renegotiation.
+ * Disallow SSL renegotiation. This concerns only TLSv1.2 and older
+ * protocol versions, as TLSv1.3 has no support for renegotiation.
+ * SSL_OP_NO_RENEGOTIATION is available in OpenSSL since 1.1.0h (via a
+ * backport from 1.1.1). SSL_OP_NO_CLIENT_RENEGOTIATION is available in
+ * LibreSSL since 2.5.1 disallowing all client-initiated renegotiation
+ * (this is usually on by default).
*/
+#ifdef SSL_OP_NO_RENEGOTIATION
SSL_CTX_set_options(context, SSL_OP_NO_RENEGOTIATION);
#endif
+#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
+ SSL_CTX_set_options(context, SSL_OP_NO_CLIENT_RENEGOTIATION);
+#endif
/* set up ephemeral DH and ECDH keys */
if (!initialize_dh(context, isServerStart))
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-06 15:02:53 +0000