Google Git
Sign in
nginx/nginx/85519dc31dd0904b13af2e1f58854d5c8f1a1708^!/.
commit
85519dc31dd0904b13af2e1f58854d5c8f1a1708
[log]
author
Maxim Dounin <mdounin@mdounin.ru>
Tue Oct 23 22:11:48 2018 +0300
committer
Maxim Dounin <mdounin@mdounin.ru>
Tue Oct 23 22:11:48 2018 +0300
tree
e93e40884c6ac689b2ea04072bde722fcd525456
parent
7922dfffe259deffb28870c273aa6cebb02bceef [diff]
SSL: explicitly set maximum version (ticket #1654).

With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 7dcd1cc..c4b51b5 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c

@@ -330,6 +330,11 @@
     }
 #endif
 
+#ifdef SSL_CTX_set_min_proto_version
+    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
 #ifdef TLS1_3_VERSION
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);