From cec27e4d8c795f3e8e2a7f62033f6a522626c934 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 2 Jun 2026 11:32:19 +0200 Subject: [PATCH v2 2/4] ssl: Use TLS_method instead of deprecated SSLv23_method The SSLv23_method() function has been an alias for TLS_method since 2015 (OpenSSL commit 32ec41539b5b) so we should use the appropriate name to avoid confusion. Author: Daniel Gustafsson Reviewed-by: Tristan Partin Reviewed-by: Andreas Karlsson Discussion: https://postgr.es/m/68B9881D-DAA8-467D-A251-C96E98E57BA0@yesql.se --- src/backend/libpq/be-secure-openssl.c | 9 ++------- src/interfaces/libpq/fe-secure-openssl.c | 2 +- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 0a13b8aa922..48eec54c062 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -377,13 +377,8 @@ be_tls_init(bool isServerStart) * Create a new SSL context into which we'll load all the configuration * settings. If we fail partway through, we can avoid memory leakage by * freeing this context; we don't install it as active until the end. - * - * We use SSLv23_method() because it can negotiate use of the highest - * mutually supported protocol version, while alternatives like - * TLSv1_2_method() permit only one specific version. Note that we don't - * actually allow SSL v2 or v3, only TLS protocols (see below). */ - context = SSL_CTX_new(SSLv23_method()); + context = SSL_CTX_new(TLS_method()); if (!context) { ereport(isServerStart ? FATAL : LOG, @@ -613,7 +608,7 @@ host_context_cleanup_cb(void *arg) static bool init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned) { - SSL_CTX *ctx = SSL_CTX_new(SSLv23_method()); + SSL_CTX *ctx = SSL_CTX_new(TLS_method()); Assert(hasWarned); diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index c7651c98ab5..9b8d5a5824a 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -800,7 +800,7 @@ initialize_SSL(PGconn *conn) * complicated if connections used different certificates. So now we * create a separate context for each connection, and accept the overhead. */ - SSL_context = SSL_CTX_new(SSLv23_method()); + SSL_context = SSL_CTX_new(TLS_method()); if (!SSL_context) { char *err = SSLerrmessage(ERR_get_error()); -- 2.39.3 (Apple Git-146)