From 2c9ca17f4faa4e462d1975b47a1aab01e46520d0 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 2 Jun 2026 11:32:19 +0200 Subject: [PATCH 2/4] ssl: Use TLS_method instead of deprecated SSLv23_method The SSLv23_method() function has been an alias for TLS_method since 2015 (OpenSSL commit 32ec41539b5b) so we should use the appropriate name to avoid confusion. --- src/backend/libpq/be-secure-openssl.c | 9 ++------- src/interfaces/libpq/fe-secure-openssl.c | 2 +- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 025c55d9bd6..3368e04eba3 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -376,13 +376,8 @@ be_tls_init(bool isServerStart) * Create a new SSL context into which we'll load all the configuration * settings. If we fail partway through, we can avoid memory leakage by * freeing this context; we don't install it as active until the end. - * - * We use SSLv23_method() because it can negotiate use of the highest - * mutually supported protocol version, while alternatives like - * TLSv1_2_method() permit only one specific version. Note that we don't - * actually allow SSL v2 or v3, only TLS protocols (see below). */ - context = SSL_CTX_new(SSLv23_method()); + context = SSL_CTX_new(TLS_method()); if (!context) { ereport(isServerStart ? FATAL : LOG, @@ -612,7 +607,7 @@ host_context_cleanup_cb(void *arg) static bool init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned) { - SSL_CTX *ctx = SSL_CTX_new(SSLv23_method()); + SSL_CTX *ctx = SSL_CTX_new(TLS_method()); if (!ctx) { diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index c7651c98ab5..9b8d5a5824a 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -800,7 +800,7 @@ initialize_SSL(PGconn *conn) * complicated if connections used different certificates. So now we * create a separate context for each connection, and accept the overhead. */ - SSL_context = SSL_CTX_new(SSLv23_method()); + SSL_context = SSL_CTX_new(TLS_method()); if (!SSL_context) { char *err = SSLerrmessage(ERR_get_error()); -- 2.39.3 (Apple Git-146)