diff options
| author | vvvv <[email protected]> | 2025-10-24 14:59:50 +0300 |
|---|---|---|
| committer | vvvv <[email protected]> | 2025-10-24 15:29:24 +0300 |
| commit | 5b0d18921f2a509d8363c40a5ca208dfed026287 (patch) | |
| tree | d1369c696d3a9e9a65b68d9208e198269a48cfbc /yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c | |
| parent | e7fbdb6e81ae4a296e710b133de7a2a04b31bbc4 (diff) | |
YQL-20567 upgrade PG up to 16.10 & fix instructions
init
commit_hash:81aba13295273281d19d2d332a48ff1c44977447
Diffstat (limited to 'yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c')
| -rw-r--r-- | yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c b/yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c index e1e8f19083b..fd3e5efb60e 100644 --- a/yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c +++ b/yql/essentials/parser/pg_wrapper/postgresql/src/backend/libpq/be-secure-openssl.c @@ -254,7 +254,18 @@ be_tls_init(bool isServerStart) } } - /* disallow SSL session tickets */ + /* + * Disallow SSL session tickets. OpenSSL use both stateful and stateless + * tickets for TLSv1.3, and stateless ticket for TLSv1.2. SSL_OP_NO_TICKET + * is available since 0.9.8f but only turns off stateless tickets. In + * order to turn off stateful tickets we need SSL_CTX_set_num_tickets, + * which is available since OpenSSL 1.1.1. LibreSSL 3.5.4 (from OpenBSD + * 7.1) introduced this API for compatibility, but doesn't support session + * tickets at all so it's a no-op there. + */ +#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS + SSL_CTX_set_num_tickets(context, 0); +#endif SSL_CTX_set_options(context, SSL_OP_NO_TICKET); /* disallow SSL session caching, too */ @@ -1369,10 +1380,11 @@ SSLerrmessage(unsigned long ecode) return errreason; /* - * In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to - * map system errno values. We can cover that shortcoming with this bit - * of code. Older OpenSSL versions don't have the ERR_SYSTEM_ERROR macro, - * but that's okay because they don't have the shortcoming either. + * In OpenSSL 3.0.0 and later, ERR_reason_error_string does not map system + * errno values anymore. (See OpenSSL source code for the explanation.) + * We can cover that shortcoming with this bit of code. Older OpenSSL + * versions don't have the ERR_SYSTEM_ERROR macro, but that's okay because + * they don't have the shortcoming either. */ #ifdef ERR_SYSTEM_ERROR if (ERR_SYSTEM_ERROR(ecode)) |