Fix regression in TLS session ticket disabling

Commit 274bbced disabled session tickets for TLSv1.3 on top of the
already disabled TLSv1.2 session tickets, but accidentally caused
a regression where TLSv1.2 session tickets were incorrectly sent.
Fix by unconditionally disabling TLSv1.2 session tickets and only
disable TLSv1.3 tickets when the right version of OpenSSL is used.

Backpatch to all supported branches.

Reported-by: Cameron Vogt 
Reported-by: Fire Emerald 
Reviewed-by: Jacob Champion 
Discussion: https://postgr.es/m/DM6PR16MB3145CF62857226F350C710D1AB852@DM6PR16MB3145.namprd16.prod.outlook.com
Backpatch-through: v12

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index ad4b005dc8646bfec2d856245c90d2f55c1f50d3..b0492c443ecea490e1a6789162ec30a89dd572f7 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -260,9 +260,8 @@ be_tls_init(bool isServerStart)
     */
 #ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
    SSL_CTX_set_num_tickets(context, 0);
-#else
-   SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 #endif
+   SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
 
    /* disallow SSL session caching, too */
    SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);