From 671231f58853fa6e6bdcbbd62d4496bb574bd572 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Wed, 8 Jan 2003 22:57:05 +0000 Subject: [PATCH] I was playing around with 7.3.1 and found some more SSL problems. The first, that I missed when checking over 7.3.1, was that the client method was switched to SSLv23 along with the server. The SSLv23 client method does SSLv2 by default, but can also understand SSLv3. In our situation the SSLv2 backwords compatibility is really only needed on the server. This is the first patch. The last thing is that I found a way for the server to understand SSLv2 HELLO messages (sent by pre-7.3 clients) but then get them to talk SSLv3. This is the last one. Nathan Mueller --- src/backend/libpq/be-secure.c | 4 ++-- src/interfaces/libpq/fe-secure.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index aeec1b663d4..98661e44b7c 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15.2.5 2002/12/23 22:19:26 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.15.2.6 2003/01/08 22:57:05 momjian Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -637,7 +637,7 @@ initialize_SSL(void) /* set up empheral DH keys */ SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb); - SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE); + SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2); /* accept client certificates, but don't require them. */ snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir); diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 2107b51d122..67e461b4dac 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.15.2.2 2002/12/18 13:20:03 pgsql Exp $ + * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.15.2.3 2003/01/08 22:57:05 momjian Exp $ * * NOTES * The client *requires* a valid server certificate. Since @@ -712,7 +712,7 @@ initialize_SSL(PGconn *conn) { SSL_library_init(); SSL_load_error_strings(); - SSL_context = SSL_CTX_new(SSLv23_method()); + SSL_context = SSL_CTX_new(TLSv1_method()); if (!SSL_context) { printfPQExpBuffer(&conn->errorMessage, -- 2.39.5