Remove duplicate setting of SSL_OP_SINGLE_DH_USE option.

Commit c0a15e07c moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option
into a new subroutine initialize_dh(), but forgot to remove it from where
it was.  SSL_CTX_set_options() is a trivial function, amounting indeed to
just "ctx->options |= op", hence there's no reason to contort the code or
break separation of concerns to avoid calling it twice.  So separating the
DH setup from disabling of old protocol versions is a good change, but we
need to finish the job.

Noted while poking into the question of SSL session tickets.

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index dc307c101fcc9d8af58977a89e89e2ca92af0d02..694f76afa6edabbb681c5ea4f48ee23b892c5a85 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -286,9 +286,7 @@ be_tls_init(bool isServerStart)
    }
 
    /* disallow SSL v2/v3 */
-   SSL_CTX_set_options(context,
-                       SSL_OP_SINGLE_DH_USE |
-                       SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
    /* set up ephemeral DH and ECDH keys */
    if (!initialize_dh(context, isServerStart))