Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 283964e)
Fix regression in TLS session ticket disabling
authorDaniel Gustafsson <dgustafsson@postgresql.org>
Mon, 19 Aug 2024 10:55:11 +0000 (12:55 +0200)
committerDaniel Gustafsson <dgustafsson@postgresql.org>
Mon, 19 Aug 2024 10:55:11 +0000 (12:55 +0200)
Commit 274bbced disabled session tickets for TLSv1.3 on top of the
already disabled TLSv1.2 session tickets, but accidentally caused
a regression where TLSv1.2 session tickets were incorrectly sent.
Fix by unconditionally disabling TLSv1.2 session tickets and only
disable TLSv1.3 tickets when the right version of OpenSSL is used.

Backpatch to all supported branches.

Reported-by: Cameron Vogt <cvogt@automaticcontrols.net>
Reported-by: Fire Emerald <fire.github@gmail.com>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com
Backpatch-through: v12

src/backend/libpq/be-secure-openssl.c patch | blob | blame | history

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 4e07ad8cd19f0f5134a2a1f7399a4d8526805474..49803b3741628562382caf3160854f5db4badeab 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -263,9 +263,8 @@ be_tls_init(bool isServerStart)
     */
 #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
    SSL_CTX_set_num_tickets(context, 0);
-#else
-   SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 #endif
+   SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 
    /* disallow SSL session caching, too */
    SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
This is the main PostgreSQL git repository.