libpq: Support TLS versions beyond TLSv1.

Per report from Jeffrey Walton, libpq has been accepting only TLSv1 exactly. Along the lines of the backend code, libpq will now support new versions as OpenSSL adds them. Marko Kreen, reviewed by Wim Lewis.

libpq: Support TLS versions beyond TLSv1.
Per report from Jeffrey Walton, libpq has been accepting only TLSv1 exactly. Along the lines of the backend code, libpq will now support new versions as OpenSSL adds them. Marko Kreen, reviewed by Wim Lewis.
820f08ca · Noah Misch · 3a531326 · 820f08ca
Commit 820f08ca authored Jan 24, 2014 by Noah Misch
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

src/interfaces/libpq/fe-secure.c src/interfaces/libpq/fe-secure.c +8 -1

No files found.
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn)
 			SSL_load_error_strings();
 		}

-		SSL_context = SSL_CTX_new(TLSv1_method());
+		/*
+		 * Only SSLv23_method() negotiates higher protocol versions;
+		 * alternatives like TLSv1_2_method() permit one specific version.
+		 */
+		SSL_context = SSL_CTX_new(SSLv23_method());
 		if (!SSL_context)
 		{
 			char	   *err = SSLerrmessage();
@@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn)
 			return -1;
 		}

+		/* Disable old protocol versions */
+		SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 		/*
 		 * Disable OpenSSL's moving-write-buffer sanity check, because it
 		 * causes unnecessary failures in nonblocking send cases.