Fix regression in TLS session ticket disabling

Commit 274bbced disabled session tickets for TLSv1.3 on top of the already disabled TLSv1.2 session tickets, but accidentally caused a regression where TLSv1.2 session tickets were incorrectly sent. Fix by unconditionally disabling TLSv1.2 session tickets and only disable TLSv1.3 tickets when the right version of OpenSSL is used. Backpatch to all supported branches. Reported-by: Cameron Vogt <cvogt@automaticcontrols.net> Reported-by: Fire Emerald <fire.github@gmail.com> Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com> Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com Backpatch-through: v12
author: Daniel Gustafsson <dgustafsson@postgresql.org> 2024-08-19 12:55:11 +0200
committer: Daniel Gustafsson <dgustafsson@postgresql.org> 2024-08-19 12:55:11 +0200
commit: f925b7f65d497fae87fad1b419e137a32cfcb504 (patch)
tree: 8e0a3d27f2528f3ef1a0daacd6e446dbc18b232c
parent: 33c615f764c32abf20bf8a5a71fcb44115551867 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 92edd6d5c63..d28e29ed628 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -253,9 +253,8 @@ be_tls_init(bool isServerStart)
 	 */
 #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
 	SSL_CTX_set_num_tickets(context, 0);
-#else
-	SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 #endif
+	SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 
 	/* disallow SSL session caching, too */
 	SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
author	Daniel Gustafsson <dgustafsson@postgresql.org>	2024-08-19 12:55:11 +0200
committer	Daniel Gustafsson <dgustafsson@postgresql.org>	2024-08-19 12:55:11 +0200
commit	f925b7f65d497fae87fad1b419e137a32cfcb504 (patch)
tree	8e0a3d27f2528f3ef1a0daacd6e446dbc18b232c
parent	33c615f764c32abf20bf8a5a71fcb44115551867 (diff)