commit 406665a6cf49d25d0506439ab27a23e557a80be5
Author: zhaorui <zhaoru@vmware.com>
Date:   Thu Jul 8 09:52:37 2021 +0800

    Disable unsafe tls(tls1.0 and tls1.1) protocol for gpfdist.

diff --git a/src/bin/gpfdist/gpfdist.c b/src/bin/gpfdist/gpfdist.c
index 2d066f5b94..dd4179960d 100644
--- a/src/bin/gpfdist/gpfdist.c
+++ b/src/bin/gpfdist/gpfdist.c
@@ -4028,7 +4028,9 @@ static SSL_CTX *initialize_ctx(void)
 	}
 
 	/* Create our context*/
-	ctx = SSL_CTX_new( TLSv1_server_method() );
+	ctx = SSL_CTX_new( SSLv23_method() );
+	/* Disable old protocol versions */
+	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 );
 
 	/* Generate random seed */
 	if ( RAND_poll() == 0 )
diff --git a/src/bin/gpfdist/regress/input/gpfdist_ssl.source b/src/bin/gpfdist/regress/input/gpfdist_ssl.source
index 8dae7b6888..daa55fe3e2 100644
--- a/src/bin/gpfdist/regress/input/gpfdist_ssl.source
+++ b/src/bin/gpfdist/regress/input/gpfdist_ssl.source
@@ -76,6 +76,41 @@ LOCATION ('gpfdists://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl')
 FORMAT 'TEXT' (DELIMITER '|' );
 INSERT INTO tbl SELECT * FROM tbl_on_heap;
 SELECT * FROM tbl_on_heap ORDER BY s1;
+-- test disable tls1.0 and tls1.1
+CREATE EXTERNAL WEB TABLE curl_with_tls10 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.0 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls11 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.1 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls12 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.2 >/dev/null 2>&1;ret=$?;
+if [ $ret -ne 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+select * from curl_with_tls10;
+select * from curl_with_tls11;
+select * from curl_with_tls12;
+drop external table if exists curl_with_tls10;
+drop external table if exists curl_with_tls11;
+drop external table if exists curl_with_tls12;
+-- end test disable tls1.0 and tls1.1
 
 -- gpfdist_ssl case 2
 DROP TABLE IF EXISTS tbl_on_heap2;
diff --git a/src/bin/gpfdist/regress/output/gpfdist_ssl.source b/src/bin/gpfdist/regress/output/gpfdist_ssl.source
index 286c51644f..4ba57cf26a 100644
--- a/src/bin/gpfdist/regress/output/gpfdist_ssl.source
+++ b/src/bin/gpfdist/regress/output/gpfdist_ssl.source
@@ -70,6 +70,56 @@ SELECT * FROM tbl_on_heap ORDER BY s1;
  ccc | twoc | shpits | Wed Jun 01 12:30:30 2011 | 23 | 732 | 834567 | 45.67 | 789.123 | 7.12345 | 123.456789
 (3 rows)
 
+-- test disable tls1.0 and tls1.1
+CREATE EXTERNAL WEB TABLE curl_with_tls10 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.0 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls11 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.1 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls12 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.2 >/dev/null 2>&1;ret=$?;
+if [ $ret -ne 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+select * from curl_with_tls10;
+    x    
+---------
+ success
+(1 row)
+
+select * from curl_with_tls11;
+    x    
+---------
+ success
+(1 row)
+
+select * from curl_with_tls12;
+    x    
+---------
+ success
+(1 row)
+
+drop external table if exists curl_with_tls10;
+drop external table if exists curl_with_tls11;
+drop external table if exists curl_with_tls12;
+-- end test disable tls1.0 and tls1.1
 -- gpfdist_ssl case 2
 DROP TABLE IF EXISTS tbl_on_heap2;
 NOTICE:  table "tbl_on_heap2" does not exist, skipping