Fix regression in TLS session ticket disabling
authorDaniel Gustafsson <[email protected]>
Mon, 19 Aug 2024 10:55:11 +0000 (12:55 +0200)
committerDaniel Gustafsson <[email protected]>
Mon, 19 Aug 2024 10:55:11 +0000 (12:55 +0200)
Commit 274bbced disabled session tickets for TLSv1.3 on top of the
already disabled TLSv1.2 session tickets, but accidentally caused
a regression where TLSv1.2 session tickets were incorrectly sent.
Fix by unconditionally disabling TLSv1.2 session tickets and only
disable TLSv1.3 tickets when the right version of OpenSSL is used.

Backpatch to all supported branches.

Reported-by: Cameron Vogt <[email protected]>
Reported-by: Fire Emerald <[email protected]>
Reviewed-by: Jacob Champion <[email protected]>
Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com
Backpatch-through: v12

src/backend/libpq/be-secure-openssl.c

index 685537268de18fd8c4b858098cb58242499dffaf..30f2a623d67a296ce8f528258be44242e60fa72d 100644 (file)
@@ -236,10 +236,9 @@ be_tls_init(bool isServerStart)
     */
 #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
    SSL_CTX_set_num_tickets(context, 0);
-#else
+#endif
 #ifdef SSL_OP_NO_TICKET                        /* added in OpenSSL 0.9.8f */
    SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
-#endif
 #endif
 
    /* disallow SSL session caching, too */