Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7372:ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 23 Oct 2018 22:11:48 +0300 |
| parents | cd4fa2fab8d8 |
| children | 9ca82f273967 |
comparison
equal
deleted
inserted
replaced
| 7371:8b68d50090e4 | 7372:ed8738b1c7c4 |
|---|---|
| 341 #ifdef SSL_OP_NO_TLSv1_3 | 341 #ifdef SSL_OP_NO_TLSv1_3 |
| 342 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 342 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
| 343 if (!(protocols & NGX_SSL_TLSv1_3)) { | 343 if (!(protocols & NGX_SSL_TLSv1_3)) { |
| 344 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); | 344 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
| 345 } | 345 } |
| 346 #endif | |
| 347 | |
| 348 #ifdef SSL_CTX_set_min_proto_version | |
| 349 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | |
| 350 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); | |
| 346 #endif | 351 #endif |
| 347 | 352 |
| 348 #ifdef TLS1_3_VERSION | 353 #ifdef TLS1_3_VERSION |
| 349 SSL_CTX_set_min_proto_version(ssl->ctx, 0); | 354 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
| 350 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); | 355 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |