libpq: Support TLS versions beyond TLSv1.

Per report from Jeffrey Walton, libpq has been accepting only TLSv1 exactly. Along the lines of the backend code, libpq will now support new versions as OpenSSL adds them. Marko Kreen, reviewed by Wim Lewis.
author: Noah Misch 2014-01-25 00:29:06 +0000
committer: Noah Misch 2014-01-25 00:29:06 +0000
commit: 820f08cabdcbb8998050c3d4873e9619d6d8cba4 (patch)
tree: 77bf0ebe78b618ba5ae9203ce8158d2d7ce88779
parent: 3a5313265d53322519b5edce018ebdea14062bf9 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 4411d25255..7e7a4f9ff1 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -966,7 +966,11 @@ init_ssl_system(PGconn *conn)
 			SSL_load_error_strings();
 		}
 
-		SSL_context = SSL_CTX_new(TLSv1_method());
+		/*
+		 * Only SSLv23_method() negotiates higher protocol versions;
+		 * alternatives like TLSv1_2_method() permit one specific version.
+		 */
+		SSL_context = SSL_CTX_new(SSLv23_method());
 		if (!SSL_context)
 		{
 			char	   *err = SSLerrmessage();
@@ -981,6 +985,9 @@ init_ssl_system(PGconn *conn)
 			return -1;
 		}
 
+		/* Disable old protocol versions */
+		SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 		/*
 		 * Disable OpenSSL's moving-write-buffer sanity check, because it
 		 * causes unnecessary failures in nonblocking send cases.
author	Noah Misch	2014-01-25 00:29:06 +0000
committer	Noah Misch	2014-01-25 00:29:06 +0000
commit	820f08cabdcbb8998050c3d4873e9619d6d8cba4 (patch)
tree	77bf0ebe78b618ba5ae9203ce8158d2d7ce88779
parent	3a5313265d53322519b5edce018ebdea14062bf9 (diff)