mirrors
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libpq: Support TLS versions beyond TLSv1. 

Per report from Jeffrey Walton, libpq has been accepting only TLSv1
exactly.  Along the lines of the backend code, libpq will now support
new versions as OpenSSL adds them.

Marko Kreen, reviewed by Wim Lewis.
This commit is contained in:
Noah Misch 2014-01-24 19:29:06 -05:00
parent 3a5313265d
commit 820f08cabd
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/interfaces/libpq/fe-secure.c
View File

@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn)
SSL_load_error_strings();
}
SSL_context = SSL_CTX_new(TLSv1_method());
/*
* Only SSLv23_method() negotiates higher protocol versions;
* alternatives like TLSv1_2_method() permit one specific version.
*/
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context)
{
char *err = SSLerrmessage();
@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn)
return -1;
}
/* Disable old protocol versions */
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/*
* Disable OpenSSL's moving-write-buffer sanity check, because it
* causes unnecessary failures in nonblocking send cases.