SSL: explicitly set maximum version (ticket #1654).

With maximum version explicitly set, TLSv1.3 will not be unexpectedly enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support) will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
author: Maxim Dounin <mdounin@mdounin.ru> 2018-10-23 22:11:48 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2018-10-23 22:11:48 +0300
commit: 471d077fdd9f677da80d6a8a34ac76c44e201872 (patch)
tree: bfd2c9f8eb90619e269800fb5756ecaba46ffb0c /src/event/ngx_event_openssl.c
parent: 1305b8414d22610b0820f6df5841418bf98fc370 (diff)
download: nginx-471d077fdd9f677da80d6a8a34ac76c44e201872.tar.gz
nginx-471d077fdd9f677da80d6a8a34ac76c44e201872.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 751291348..2c384a4dd 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -345,6 +345,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     }
 #endif
 
+#ifdef SSL_CTX_set_min_proto_version
+    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
 #ifdef TLS1_3_VERSION
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
author	Maxim Dounin <mdounin@mdounin.ru>	2018-10-23 22:11:48 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2018-10-23 22:11:48 +0300
commit	471d077fdd9f677da80d6a8a34ac76c44e201872 (patch)
tree	bfd2c9f8eb90619e269800fb5756ecaba46ffb0c /src/event/ngx_event_openssl.c
parent	1305b8414d22610b0820f6df5841418bf98fc370 (diff)
download	nginx-471d077fdd9f677da80d6a8a34ac76c44e201872.tar.gz nginx-471d077fdd9f677da80d6a8a34ac76c44e201872.tar.bz2