Fix regression in TLS session ticket disabling

Commit 274bbced disabled session tickets for TLSv1.3 on top of the already disabled TLSv1.2 session tickets, but accidentally caused a regression where TLSv1.2 session tickets were incorrectly sent. Fix by unconditionally disabling TLSv1.2 session tickets and only disable TLSv1.3 tickets when the right version of OpenSSL is used. Backpatch to all supported branches. Reported-by: Cameron Vogt <[email protected]> Reported-by: Fire Emerald <[email protected]> Reviewed-by: Jacob Champion <[email protected]> Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com Backpatch-through: v12
author: Daniel Gustafsson 2024-08-19 10:55:11 +0000
committer: Daniel Gustafsson 2024-08-19 10:55:11 +0000
commit: 4fdb6558c2709c799643d26f3f956395ae72a8ef (patch)
tree: 85555daa0e0f7e6131f8d0fe41c6339b11586eb0
parent: 2724ff381a161eb030a1fcd2a6346679d74db420 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 7e056abd5a..60cf5d16e7 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -270,9 +270,8 @@ be_tls_init(bool isServerStart)
 	 */
 #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
 	SSL_CTX_set_num_tickets(context, 0);
-#else
-	SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 #endif
+	SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 
 	/* disallow SSL session caching, too */
 	SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
author	Daniel Gustafsson	2024-08-19 10:55:11 +0000
committer	Daniel Gustafsson	2024-08-19 10:55:11 +0000
commit	4fdb6558c2709c799643d26f3f956395ae72a8ef (patch)
tree	85555daa0e0f7e6131f8d0fe41c6339b11586eb0
parent	2724ff381a161eb030a1fcd2a6346679d74db420 (diff)