Mercurial > hg > nginx
changeset 7421:11be3c0723bd stable-1.14
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 23 Oct 2018 22:11:48 +0300 |
| parents | b3a4f6d23e82 |
| children | 2dad54c2b8ed |
| files | src/event/ngx_event_openssl.c |
| diffstat | 1 files changed, 5 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ } #endif +#ifdef SSL_CTX_set_min_proto_version + SSL_CTX_set_min_proto_version(ssl->ctx, 0); + SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); +#endif + #ifdef TLS1_3_VERSION SSL_CTX_set_min_proto_version(ssl->ctx, 0); SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);