summaryrefslogtreecommitdiff
path: root/src/backend/libpq/be-secure.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/backend/libpq/be-secure.c')
-rw-r--r--src/backend/libpq/be-secure.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index a04701e555..71f9747300 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -822,6 +822,13 @@ initialize_SSL(void)
#endif
SSL_library_init();
SSL_load_error_strings();
+
+ /*
+ * We use SSLv23_method() because it can negotiate use of the highest
+ * mutually supported protocol version, while alternatives like
+ * TLSv1_2_method() permit only one specific version. Note that we
+ * don't actually allow SSL v2 or v3, only TLS protocols (see below).
+ */
SSL_context = SSL_CTX_new(SSLv23_method());
if (!SSL_context)
ereport(FATAL,
@@ -880,9 +887,11 @@ initialize_SSL(void)
SSLerrmessage())));
}
- /* set up ephemeral DH keys, and disallow SSL v2 while at it */
+ /* set up ephemeral DH keys, and disallow SSL v2/v3 while at it */
SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
- SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(SSL_context,
+ SSL_OP_SINGLE_DH_USE |
+ SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
/* set up ephemeral ECDH keys */
initialize_ecdh();
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-17 22:46:37 +0000