From the SSL_CTX_new man page:

"SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)

 A TLS/SSL connection established with these methods will understand the SSLv2,
 SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages
 and will indicate that it also understands SSLv3 and TLSv1. A server will
 understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
 choice when compatibility is a concern."

This will maintain backwards compatibility for those us that don't use
TLS connections ...

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 6ecfa0aafd4d91c952b30616f521c5c0ba9cc38f..72c14294ae3d708af0c6fec62f84ade6c37f596f 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -587,7 +587,7 @@ initialize_SSL(void)
        {
                SSL_library_init();
                SSL_load_error_strings();
-               SSL_context = SSL_CTX_new(TLSv1_method());
+               SSL_context = SSL_CTX_new(SSLv23_method());
                if (!SSL_context)
                {
                        postmaster_error("failed to create SSL context: %s",

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index ceae8a4ce0c343fcf4e97db52ac0fa367497c8f1..9eeea68acccdf1a0cdcec4e8c681e9ae36acc7e2 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -712,7 +712,7 @@ initialize_SSL(PGconn *conn)
        {
                SSL_library_init();
                SSL_load_error_strings();
-               SSL_context = SSL_CTX_new(TLSv1_method());
+               SSL_context = SSL_CTX_new(SSLv23_method());
                if (!SSL_context)
                {
                        printfPQExpBuffer(&conn->errorMessage,