)]}'
{
  "commit": "7922dfffe259deffb28870c273aa6cebb02bceef",
  "tree": "2c9cf31b202a9b4185a7c74581ac981ee5409576",
  "parents": [
    "c70e67e908e51a30bb63c251a3129f7ea0234358"
  ],
  "author": {
    "name": "Maxim Dounin",
    "email": "mdounin@mdounin.ru",
    "time": "Tue Aug 07 02:15:28 2018 +0300"
  },
  "committer": {
    "name": "Maxim Dounin",
    "email": "mdounin@mdounin.ru",
    "time": "Tue Aug 07 02:15:28 2018 +0300"
  },
  "message": "SSL: enabled TLSv1.3 with BoringSSL.\n\nBoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)\nto be able to enable TLS 1.3.  This is because by default max protocol\nversion is set to TLS 1.2, and the SSL_OP_NO_* options are merely used\nas a blacklist within the version range specified using the\nSSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()\nfunctions.\n\nWith this change, we now call SSL_CTX_set_max_proto_version() with an\nexplicit maximum version set.  This enables TLS 1.3 with BoringSSL.\nAs a side effect, this change also limits maximum protocol version to\nthe newest protocol we know about, TLS 1.3.  This seems to be a good\nchange, as enabling unknown protocols might have unexpected results.\n\nAdditionally, we now explicitly call SSL_CTX_set_min_proto_version()\nwith 0.  This is expected to help with Debian system-wide default\nof MinProtocol set to TLSv1.2, see\nhttp://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.\n\nNote that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,\nso we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()\nas long as the TLS1_3_VERSION macro is defined.\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "01b3404a5dce128f9bb9c5575e84dc86de33f3c0",
      "old_mode": 33188,
      "old_path": "src/event/ngx_event_openssl.c",
      "new_id": "7dcd1cc37c43ee90eb88b50fdf82c7f190f61ca9",
      "new_mode": 33188,
      "new_path": "src/event/ngx_event_openssl.c"
    }
  ]
}