SSL: explicitly set maximum version (ticket #1654). With maximum version explicitly set, TLSv1.3 will not be unexpectedly enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support) will be run with OpenSSL 1.1.1 (with TLSv1.3 support).

commit: 797613ded997e79569ec729cfcd2b5cd6a248847 [log] [tgz]
author: Maxim Dounin <mdounin@mdounin.ru> Tue Oct 23 22:11:48 2018 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> Tue Oct 23 22:11:48 2018 +0300
tree: bfd2c9f8eb90619e269800fb5756ecaba46ffb0c
parent: 746c8765d801e4cfd8495056e35c9bef3ab31f77 [diff]
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 7512913..2c384a4 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c

@@ -345,6 +345,11 @@
     }
 #endif
 
+#ifdef SSL_CTX_set_min_proto_version
+    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
 #ifdef TLS1_3_VERSION
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
commit	797613ded997e79569ec729cfcd2b5cd6a248847	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Tue Oct 23 22:11:48 2018 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	Tue Oct 23 22:11:48 2018 +0300
tree	bfd2c9f8eb90619e269800fb5756ecaba46ffb0c
parent	746c8765d801e4cfd8495056e35c9bef3ab31f77 [diff]