Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7421:11be3c0723bd stable-1.14
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 23 Oct 2018 22:11:48 +0300 |
| parents | b3a4f6d23e82 |
| children |
comparison
equal
deleted
inserted
replaced
| 7420:b3a4f6d23e82 | 7421:11be3c0723bd |
|---|---|
| 326 #ifdef SSL_OP_NO_TLSv1_3 | 326 #ifdef SSL_OP_NO_TLSv1_3 |
| 327 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 327 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
| 328 if (!(protocols & NGX_SSL_TLSv1_3)) { | 328 if (!(protocols & NGX_SSL_TLSv1_3)) { |
| 329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
| 330 } | 330 } |
| 331 #endif | |
| 332 | |
| 333 #ifdef SSL_CTX_set_min_proto_version | |
| 334 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | |
| 335 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); | |
| 331 #endif | 336 #endif |
| 332 | 337 |
| 333 #ifdef TLS1_3_VERSION | 338 #ifdef TLS1_3_VERSION |
| 334 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | 339 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
| 335 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); | 340 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |