ssl-disable-renego-v2.patch
text/x-diff
Filename: ssl-disable-renego-v2.patch
Type: text/x-diff
Part: 0
Patch
Format: unified
Series: patch v2
| File | + | − |
|---|---|---|
| src/backend/libpq/be-secure-openssl.c | 18 | 0 |
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index c4e8113241..4552db5b43 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -251,6 +251,15 @@ be_tls_init(bool isServerStart) /* disallow SSL compression */ SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION); +#ifdef SSL_OP_NO_RENEGOTIATION + /* + * Disallow SSL renegotiation, option available since 1.1.0h. This + * concerns only TLSv1.2 and older protocol versions, as TLSv1.3 has + * no support for renegotiation. + */ + SSL_CTX_set_options(context, SSL_OP_NO_RENEGOTIATION); +#endif + /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) goto error; @@ -430,6 +439,15 @@ be_tls_open_server(Port *port) } port->ssl_in_use = true; +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && (OPENSSL_VERSION_NUMBER < 0x10100000L) + /* + * Disallow SSL renegotiation. SSL_OP_NO_RENEGOTIATION is not available + * in OpenSSL 1.0.2 and older versions, but this undocumented option + * allows to achieve the same goal. + */ + port->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; +#endif + aloop: /*