Remove duplicate setting of SSL_OP_SINGLE_DH_USE option.

Commit c0a15e07 moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option into a new subroutine initialize_dh(), but forgot to remove it from where it was. SSL_CTX_set_options() is a trivial function, amounting indeed to just "ctx->options |= op", hence there's no reason to contort the code or break separation of concerns to avoid calling it twice. So separating the DH setup from disabling of old protocol versions is a good change, but we need to finish the job. Noted while poking into the question of SSL session tickets.

Remove duplicate setting of SSL_OP_SINGLE_DH_USE option.
Commit c0a15e07 moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option into a new subroutine initialize_dh(), but forgot to remove it from where it was. SSL_CTX_set_options() is a trivial function, amounting indeed to just "ctx->options |= op", hence there's no reason to contort the code or break separation of concerns to avoid calling it twice. So separating the DH setup from disabling of old protocol versions is a good change, but we need to finish the job. Noted while poking into the question of SSL session tickets.
f352f91c · Tom Lane · 41cefbb6 · f352f91c
Commit f352f91c authored Aug 02, 2017 by Tom Lane
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 3 deletions

src/backend/libpq/be-secure-openssl.c src/backend/libpq/be-secure-openssl.c +1 -3

No files found.
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -286,9 +286,7 @@ be_tls_init(bool isServerStart)
 	}

 	/* disallow SSL v2/v3 */
-	SSL_CTX_set_options(context,
-						SSL_OP_SINGLE_DH_USE |
-						SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+	SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

 	/* set up ephemeral DH and ECDH keys */
 	if (!initialize_dh(context, isServerStart))