From f352f91cbf2f662c4f043d3650010b02da0cde1c Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 2 Aug 2017 11:28:46 -0400 Subject: [PATCH] Remove duplicate setting of SSL_OP_SINGLE_DH_USE option. Commit c0a15e07c moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option into a new subroutine initialize_dh(), but forgot to remove it from where it was. SSL_CTX_set_options() is a trivial function, amounting indeed to just "ctx->options |= op", hence there's no reason to contort the code or break separation of concerns to avoid calling it twice. So separating the DH setup from disabling of old protocol versions is a good change, but we need to finish the job. Noted while poking into the question of SSL session tickets. --- src/backend/libpq/be-secure-openssl.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index dc307c101f..694f76afa6 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -286,9 +286,7 @@ be_tls_init(bool isServerStart) } /* disallow SSL v2/v3 */ - SSL_CTX_set_options(context, - SSL_OP_SINGLE_DH_USE | - SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) -- 2.40.0