From 6e449db8937ccb985890dcea1e0f773f3e859d8b Mon Sep 17 00:00:00 2001
From: Mehmet Yilmaz <mehmetyilmaz@microsoft.com>
Date: Fri, 16 May 2025 14:09:14 +0000
Subject: [PATCH] Update SSL context creation to use TLS_method for improved
 security and maintain compatibility with OpenSSL 1.1.0+

---
 src/backend/distributed/utils/enable_ssl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/backend/distributed/utils/enable_ssl.c b/src/backend/distributed/utils/enable_ssl.c
index 5151db26d..c30bee214 100644
--- a/src/backend/distributed/utils/enable_ssl.c
+++ b/src/backend/distributed/utils/enable_ssl.c
@@ -255,7 +255,7 @@ CreateCertificatesWhenNeeded()
 	SSL_library_init();
 #endif
 
-	sslContext = SSL_CTX_new(SSLv23_method());
+	sslContext = SSL_CTX_new(TLS_method());
 	if (!sslContext)
 	{
 		ereport(WARNING, (errmsg("unable to create ssl context, please verify ssl "
@@ -386,12 +386,12 @@ CreateCertificate(EVP_PKEY *privateKey)
 	 */
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 
-	/* OpenSSL 1.1.0+ */
-	X509_gmtime_adj(X509_getm_notBefore(certificate), 0);
-	X509_gmtime_adj(X509_getm_notAfter(certificate), 0);
+	/* New mutable accessors (present in 1.1, 3.x). */
+    X509_gmtime_adj(X509_getm_notBefore(certificate), 0);
+    X509_gmtime_adj(X509_getm_notAfter(certificate), 0);
 #else
 
-	/* OpenSSL < 1.1.0 */
+	/* Legacy functions kept for 1.0.x compatibility. */
 	X509_gmtime_adj(X509_get_notBefore(certificate), 0);
 	X509_gmtime_adj(X509_get_notAfter(certificate), 0);
 #endif