diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2017-08-02 11:28:46 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2017-08-02 11:28:49 -0400 |
| commit | f352f91cbf2f662c4f043d3650010b02da0cde1c (patch) | |
| tree | fad7bcfd5086d41363bae00ad6ed0367014e7429 /src | |
| parent | 41cefbb6db58c574e086efef2773a978f108d717 (diff) | |
| download | postgresql-f352f91cbf2f662c4f043d3650010b02da0cde1c.tar.gz postgresql-f352f91cbf2f662c4f043d3650010b02da0cde1c.zip | |
Remove duplicate setting of SSL_OP_SINGLE_DH_USE option.
Commit c0a15e07c moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option
into a new subroutine initialize_dh(), but forgot to remove it from where
it was. SSL_CTX_set_options() is a trivial function, amounting indeed to
just "ctx->options |= op", hence there's no reason to contort the code or
break separation of concerns to avoid calling it twice. So separating the
DH setup from disabling of old protocol versions is a good change, but we
need to finish the job.
Noted while poking into the question of SSL session tickets.
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index dc307c101fc..694f76afa6e 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -286,9 +286,7 @@ be_tls_init(bool isServerStart) } /* disallow SSL v2/v3 */ - SSL_CTX_set_options(context, - SSL_OP_SINGLE_DH_USE | - SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) |