SSL: explicitly set maximum version (ticket #1654).

With maximum version explicitly set, TLSv1.3 will not be unexpectedly enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support) will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
author: Maxim Dounin <mdounin@mdounin.ru> 2018-10-23 22:11:48 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2018-10-23 22:11:48 +0300
commit: 04618d00e0775b78ca3349da54366d7bcb4d1774 (patch)
tree: e93e40884c6ac689b2ea04072bde722fcd525456
parent: b0f29fab4cfb3fc884ff9f2e7581ee1108bf6db7 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 7dcd1cc37..c4b51b54a 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     }
 #endif
 
+#ifdef SSL_CTX_set_min_proto_version
+    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
 #ifdef TLS1_3_VERSION
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
author	Maxim Dounin <mdounin@mdounin.ru>	2018-10-23 22:11:48 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2018-10-23 22:11:48 +0300
commit	04618d00e0775b78ca3349da54366d7bcb4d1774 (patch)
tree	e93e40884c6ac689b2ea04072bde722fcd525456
parent	b0f29fab4cfb3fc884ff9f2e7581ee1108bf6db7 (diff)