git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff

libpq: Support TLS versions beyond TLSv1.

2014年1月25日 00:29:06 +0000 (19:29 -0500)

committer Noah Misch <noah@leadboat.com>

2014年1月25日 00:29:06 +0000 (19:29 -0500)

Per report from Jeffrey Walton, libpq has been accepting only TLSv1
exactly. Along the lines of the backend code, libpq will now support
new versions as OpenSSL adds them.

Marko Kreen, reviewed by Wim Lewis.

src/interfaces/libpq/fe-secure.c patch | blob | blame | history

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c

index 4411d252552a5c60bf5b7a59299225d7a616bad4..7e7a4f9ff169c30623cd407852eb9b8f0c93df42 100644 (file)

--- a/src/interfaces/libpq/fe-secure.c

+++ b/src/interfaces/libpq/fe-secure.c

@@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn)

SSL_load_error_strings();

}

- SSL_context = SSL_CTX_new(TLSv1_method());

+ /*

+ * Only SSLv23_method() negotiates higher protocol versions;

+ * alternatives like TLSv1_2_method() permit one specific version.

+ */

+ SSL_context = SSL_CTX_new(SSLv23_method());

if (!SSL_context)

{

char *err = SSLerrmessage();

@@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn)

return -1;

}

+ /* Disable old protocol versions */

+ SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

* Disable OpenSSL's moving-write-buffer sanity check, because it

* causes unnecessary failures in nonblocking send cases.

This is the main PostgreSQL git repository.

RSS Atom