[nginx] SSL: explicitly set maximum version (ticket #1654).

Maxim Dounin mdounin at mdounin.ru
Tue Dec 4 13:37:09 UTC 2018


details:   https://hg.nginx.org/nginx/rev/11be3c0723bd
branches:  stable-1.14
changeset: 7421:11be3c0723bd
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue Oct 23 22:11:48 2018 +0300
description:
SSL: explicitly set maximum version (ticket #1654).

With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).

diffstat:

 src/event/ngx_event_openssl.c |  5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diffs (15 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     }
 #endif
 
+#ifdef SSL_CTX_set_min_proto_version
+    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
 #ifdef TLS1_3_VERSION
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);


More information about the nginx-devel mailing list