SSL: explicitly set maximum version (ticket #1654).
With maximum version explicitly set, TLSv1.3 will not be unexpectedly enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support) will be run with OpenSSL 1.1.1 (with TLSv1.3 support).
This commit is contained in:
parent
93ed5b65ed
commit
f5cc8c42e1
|
@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef SSL_CTX_set_min_proto_version
|
||||
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
|
||||
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
|
||||
#endif
|
||||
|
||||
#ifdef TLS1_3_VERSION
|
||||
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
|
||||
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
|
||||
|
|
Loading…
Reference in New Issue