Don't set SSL cipher list for libcurl

The default libcurl on centos7 uses NSS SSL library instead of OPENSSL. GPDB with that libcurl will report "Unknown cipher in list: AES128-SHA" on connecting gpfdist SSL server. Actually, we don't have to set cipher list in GPDB. It may choose stronger cipher on negotiation. So remove setting cipher list. Patch back to 6X_STABLE

Don't set SSL cipher list for libcurl
The default libcurl on centos7 uses NSS SSL library instead of OPENSSL. GPDB with that libcurl will report "Unknown cipher in list: AES128-SHA" on connecting gpfdist SSL server. Actually, we don't have to set cipher list in GPDB. It may choose stronger cipher on negotiation. So remove setting cipher list. Patch back to 6X_STABLE
176c84ed · Huiliang.liu · Huiliang.Liu · 0d60da9c · 176c84ed
隐藏空白更改
内联并排

Showing with 0 addition and 5 deletion

src/backend/access/external/url_curl.c src/backend/access/external/url_curl.c +0 -5

未找到文件。
--- a/src/backend/access/external/url_curl.c
+++ b/src/backend/access/external/url_curl.c
@@ -114,7 +114,6 @@ typedef struct
 *
 *  SSL Params
 *	extssl_protocol  CURL_SSLVERSION_TLSv1 				
- *  extssl_cipher 	 TLS_RSA_WITH_AES_128_CBC_SHA
 *  extssl_verifycert 	1
 *  extssl_verifyhost 	2
 *  extssl_no_verifycert 	0
@@ -128,7 +127,6 @@ typedef struct
 */

 const static int extssl_protocol  = CURL_SSLVERSION_TLSv1;
-const char* extssl_cipher = "AES128-SHA";
 const static int extssl_verifycert = 1;
 const static int extssl_verifyhost = 2;
 const static int extssl_no_verifycert = 0;
@@ -1274,9 +1272,6 @@ url_curl_fopen(char *url, bool forwrite, extvar_t *ev, CopyState pstate)
 		CURL_EASY_SETOPT(file->curl->handle, CURLOPT_SSL_VERIFYHOST,
 				(long)(verify_gpfdists_cert ? extssl_verifyhost : extssl_no_verifyhost));

-		/* set ciphersuite */
-		CURL_EASY_SETOPT(file->curl->handle, CURLOPT_SSL_CIPHER_LIST, extssl_cipher);
-
 		/* set protocol */
 		CURL_EASY_SETOPT(file->curl->handle, CURLOPT_SSLVERSION, extssl_protocol);