Merge branch 'master' into slot2slot2

author: Robert Haas 2014-02-01 03:25:01 +0000
committer: Robert Haas 2014-02-01 03:25:01 +0000
commit: c7de3295ba9db6649c32568bb46b91f1160da8d3 (patch)
tree: 52bda214aaf8fa4bcc80eb8593c06807f2dc776d /src/backend/libpq/be-secure.c
parent: e01fc2377bfdb6a519aea7007a57c901c8a95da6 (diff)
parent: d1981719adbcc05fa15f540e8fc4327907991fc6 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index a04701e555..71f9747300 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -822,6 +822,13 @@ initialize_SSL(void)
 #endif
 		SSL_library_init();
 		SSL_load_error_strings();
+
+		/*
+		 * We use SSLv23_method() because it can negotiate use of the highest
+		 * mutually supported protocol version, while alternatives like
+		 * TLSv1_2_method() permit only one specific version.  Note that we
+		 * don't actually allow SSL v2 or v3, only TLS protocols (see below).
+		 */
 		SSL_context = SSL_CTX_new(SSLv23_method());
 		if (!SSL_context)
 			ereport(FATAL,
@@ -880,9 +887,11 @@ initialize_SSL(void)
 							SSLerrmessage())));
 	}
 
-	/* set up ephemeral DH keys, and disallow SSL v2 while at it */
+	/* set up ephemeral DH keys, and disallow SSL v2/v3 while at it */
 	SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
-	SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
+	SSL_CTX_set_options(SSL_context,
+						SSL_OP_SINGLE_DH_USE |
+						SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
 	/* set up ephemeral ECDH keys */
 	initialize_ecdh();
author	Robert Haas	2014-02-01 03:25:01 +0000
committer	Robert Haas	2014-02-01 03:25:01 +0000
commit	c7de3295ba9db6649c32568bb46b91f1160da8d3 (patch)
tree	52bda214aaf8fa4bcc80eb8593c06807f2dc776d /src/backend/libpq/be-secure.c
parent	e01fc2377bfdb6a519aea7007a57c901c8a95da6 (diff)
parent	d1981719adbcc05fa15f540e8fc4327907991fc6 (diff)