From 6ccb5aebaddd9e7aefaa7d1e7baa3264148be3c5 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Wed, 8 Jan 2003 22:56:58 +0000
Subject: [PATCH] I was playing around with 7.3.1 and found some more SSL
 problems.  The first, that I missed when checking over 7.3.1, was that the
 client method was switched to SSLv23 along with the server.  The SSLv23
 client method does SSLv2 by default, but can also understand SSLv3.  In our
 situation the SSLv2 backwords compatibility is really only needed on the
 server.  This is the first patch.

The last thing is that I found a way for the server to understand SSLv2
HELLO messages (sent by pre-7.3 clients) but then get them to talk
SSLv3.  This is the last one.

Nathan Mueller
---
 src/backend/libpq/be-secure.c    | 4 ++--
 src/interfaces/libpq/fe-secure.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 5b03121455..c73eab42cd 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.21 2002/12/23 22:19:00 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.22 2003/01/08 22:56:58 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -637,7 +637,7 @@ initialize_SSL(void)
 
 	/* set up empheral DH keys */
 	SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
-	SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE);
+	SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
 
 	/* accept client certificates, but don't require them. */
 	snprintf(fnbuf, sizeof fnbuf, "%s/root.crt", DataDir);
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 6f613aec06..36fe45bd9c 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.18 2002/12/18 13:15:15 pgsql Exp $
+ *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.19 2003/01/08 22:56:58 momjian Exp $
  *
  * NOTES
  *	  The client *requires* a valid server certificate.  Since
@@ -714,7 +714,7 @@ initialize_SSL(PGconn *conn)
 	{
 		SSL_library_init();
 		SSL_load_error_strings();
-		SSL_context = SSL_CTX_new(SSLv23_method());
+		SSL_context = SSL_CTX_new(TLSv1_method());
 		if (!SSL_context)
 		{
 			printfPQExpBuffer(&conn->errorMessage,