[nginx] SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin
mdounin at mdounin.ru
Tue Dec 4 13:37:09 UTC 2018
details: https://hg.nginx.org/nginx/rev/11be3c0723bd
branches: stable-1.14
changeset: 7421:11be3c0723bd
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue Oct 23 22:11:48 2018 +0300
description:
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
diffstat:
src/event/ngx_event_openssl.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diffs (15 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
}
#endif
+#ifdef SSL_CTX_set_min_proto_version
+ SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+ SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
#ifdef TLS1_3_VERSION
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
More information about the nginx-devel
mailing list