Fix regression in TLS session ticket disabling

Commit 274bbced disabled session tickets for TLSv1.3 on top of the already disabled TLSv1.2 session tickets, but accidentally caused a regression where TLSv1.2 session tickets were incorrectly sent. Fix by unconditionally disabling TLSv1.2 session tickets and only disable TLSv1.3 tickets when the right version of OpenSSL is used. Backpatch to all supported branches. Reported-by: Cameron Vogt <cvogt@automaticcontrols.net> Reported-by: Fire Emerald <fire.github@gmail.com> Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com> Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com Backpatch-through: v12
author: Daniel Gustafsson <dgustafsson@postgresql.org> 2024-08-19 12:55:11 +0200
committer: Daniel Gustafsson <dgustafsson@postgresql.org> 2024-08-19 12:55:11 +0200
commit: 8cea8c023edfc8ab8eadd4e68a9686727f494aaf (patch)
tree: 32d6a37d5c9b5c9a45deb69dd8fb09082137107c /src
parent: f1707c5f4f647e58ba299af3750d24f6d3b00cd6 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 02f6b870f94..8df8ed3c90a 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -253,9 +253,8 @@ be_tls_init(bool isServerStart)
 	 */
 #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
 	SSL_CTX_set_num_tickets(context, 0);
-#else
-	SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 #endif
+	SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 
 	/* disallow SSL session caching, too */
 	SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
author	Daniel Gustafsson <dgustafsson@postgresql.org>	2024-08-19 12:55:11 +0200
committer	Daniel Gustafsson <dgustafsson@postgresql.org>	2024-08-19 12:55:11 +0200
commit	8cea8c023edfc8ab8eadd4e68a9686727f494aaf (patch)
tree	32d6a37d5c9b5c9a45deb69dd8fb09082137107c /src
parent	f1707c5f4f647e58ba299af3750d24f6d3b00cd6 (diff)