I was playing around with 7.3.1 and found some more SSL problems. The

first, that I missed when checking over 7.3.1, was that the client
method was switched to SSLv23 along with the server.  The SSLv23 client
method does SSLv2 by default, but can also understand SSLv3.  In our
situation the SSLv2 backwords compatibility is really only needed on the
server.  This is the first patch.

The last thing is that I found a way for the server to understand SSLv2
HELLO messages (sent by pre-7.3 clients) but then get them to talk
SSLv3.  This is the last one.

Nathan Mueller

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index aeec1b663d4fab9c6c2d504782117c9ecf6cb2e9..98661e44b7c8ae34608aa345d898cdb9bf079137 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15.2.5 2002/12/23 22:19:26 momjian Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15.2.6 2003/01/08 22:57:05 momjian Exp $
  *
  *       Since the server static private key ($DataDir/server.key)
  *       will normally be stored unencrypted so that the database
@@ -637,7 +637,7 @@ initialize_SSL(void)
 
        /* set up empheral DH keys */
        SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
-       SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE);
+       SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
 
        /* accept client certificates, but don't require them. */
        snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 2107b51d122d44b7db03836e7bc298d803de363e..67e461b4dac7137b65a0a207d509ccd8911d10df 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.15.2.2 2002/12/18 13:20:03 pgsql Exp $
+ *       $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.15.2.3 2003/01/08 22:57:05 momjian Exp $
  *
  * NOTES
  *       The client *requires* a valid server certificate.  Since
@@ -712,7 +712,7 @@ initialize_SSL(PGconn *conn)
        {
                SSL_library_init();
                SSL_load_error_strings();
-               SSL_context = SSL_CTX_new(SSLv23_method());
+               SSL_context = SSL_CTX_new(TLSv1_method());
                if (!SSL_context)
                {
                        printfPQExpBuffer(&conn->errorMessage,