diff options
author | Maxim Dounin <mdounin@mdounin.ru> | 2018-10-23 22:11:48 +0300 |
---|---|---|
committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-10-23 22:11:48 +0300 |
commit | 04618d00e0775b78ca3349da54366d7bcb4d1774 (patch) | |
tree | e93e40884c6ac689b2ea04072bde722fcd525456 | |
parent | b0f29fab4cfb3fc884ff9f2e7581ee1108bf6db7 (diff) |
SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
-rw-r--r-- | src/event/ngx_event_openssl.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 7dcd1cc37..c4b51b54a 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) } #endif +#ifdef SSL_CTX_set_min_proto_version + SSL_CTX_set_min_proto_version(ssl->ctx, 0); + SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); +#endif + #ifdef TLS1_3_VERSION SSL_CTX_set_min_proto_version(ssl->ctx, 0); SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |