Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl.c @ 7372:ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 23 Oct 2018 22:11:48 +0300 |
parents | cd4fa2fab8d8 |
children | 9ca82f273967 |
comparison
equal
deleted
inserted
replaced
7371:8b68d50090e4 | 7372:ed8738b1c7c4 |
---|---|
341 #ifdef SSL_OP_NO_TLSv1_3 | 341 #ifdef SSL_OP_NO_TLSv1_3 |
342 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 342 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
343 if (!(protocols & NGX_SSL_TLSv1_3)) { | 343 if (!(protocols & NGX_SSL_TLSv1_3)) { |
344 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 344 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
345 } | 345 } |
346 #endif | |
347 | |
348 #ifdef SSL_CTX_set_min_proto_version | |
349 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | |
350 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); | |
346 #endif | 351 #endif |
347 | 352 |
348 #ifdef TLS1_3_VERSION | 353 #ifdef TLS1_3_VERSION |
349 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | 354 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
350 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); | 355 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |