From: Noah Misch <noah@leadboat.com>
Date: Sat, 25 Jan 2014 00:29:06 +0000 (-0500)
Subject: libpq: Support TLS versions beyond TLSv1.
X-Git-Tag: REL9_4_BETA1~624
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=820f08cabdcbb8998050c3d4873e9619d6d8cba4;p=postgresql

libpq: Support TLS versions beyond TLSv1.

Per report from Jeffrey Walton, libpq has been accepting only TLSv1
exactly.  Along the lines of the backend code, libpq will now support
new versions as OpenSSL adds them.

Marko Kreen, reviewed by Wim Lewis.
---

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 4411d25255..7e7a4f9ff1 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn)
 			SSL_load_error_strings();
 		}
 
-		SSL_context = SSL_CTX_new(TLSv1_method());
+		/*
+		 * Only SSLv23_method() negotiates higher protocol versions;
+		 * alternatives like TLSv1_2_method() permit one specific version.
+		 */
+		SSL_context = SSL_CTX_new(SSLv23_method());
 		if (!SSL_context)
 		{
 			char	   *err = SSLerrmessage();
@@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn)
 			return -1;
 		}
 
+		/* Disable old protocol versions */
+		SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 		/*
 		 * Disable OpenSSL's moving-write-buffer sanity check, because it
 		 * causes unnecessary failures in nonblocking send cases.