Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7421:11be3c0723bd stable-1.14
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 23 Oct 2018 22:11:48 +0300 |
parents | b3a4f6d23e82 |
children |
comparison
equal
deleted
inserted
replaced
7420:b3a4f6d23e82 | 7421:11be3c0723bd |
---|---|
326 #ifdef SSL_OP_NO_TLSv1_3 | 326 #ifdef SSL_OP_NO_TLSv1_3 |
327 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 327 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
328 if (!(protocols & NGX_SSL_TLSv1_3)) { | 328 if (!(protocols & NGX_SSL_TLSv1_3)) { |
329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
330 } | 330 } |
331 #endif | |
332 | |
333 #ifdef SSL_CTX_set_min_proto_version | |
334 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | |
335 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); | |
331 #endif | 336 #endif |
332 | 337 |
333 #ifdef TLS1_3_VERSION | 338 #ifdef TLS1_3_VERSION |
334 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | 339 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
335 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); | 340 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |