SSL: added support for TLSv1.3 in ssl_protocols directive.

author Sergey Kandaurov <pluknet@nginx.com>

Tue, 18 Apr 2017 12:12:38 +0000 (15:12 +0300)

committer Sergey Kandaurov <pluknet@nginx.com>

Tue, 18 Apr 2017 12:12:38 +0000 (15:12 +0300)
author Sergey Kandaurov <pluknet@nginx.com>
Tue, 18 Apr 2017 12:12:38 +0000 (15:12 +0300)
committer Sergey Kandaurov <pluknet@nginx.com>
Tue, 18 Apr 2017 12:12:38 +0000 (15:12 +0300)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c

index 8c7c67704cdd35af5bc5b375d747e96d0830b092..eb418314da2ef729a15b2c9615024993ab3eb26a 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -323,6 +323,12 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
          SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
      }
  #endif
+#ifdef SSL_OP_NO_TLSv1_3
+    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+    if (!(protocols & NGX_SSL_TLSv1_3)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+    }
+#endif
  
  #ifdef SSL_OP_NO_COMPRESSION
      SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h

index e093e10c565c86f629430e54aee4f373487caa9b..607ee90116e946faf881b98a87224c4236398721 100644 (file)
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -131,6 +131,7 @@ typedef struct {
  #define NGX_SSL_TLSv1    0x0008
  #define NGX_SSL_TLSv1_1  0x0010
  #define NGX_SSL_TLSv1_2  0x0020
+#define NGX_SSL_TLSv1_3  0x0040
  
  
  #define NGX_SSL_BUFFER   1
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c

index e594d069aa753fcf06c38a92e8bdb6817ac6b48c..0fee2c2c41630046e6adb6c24f14717b5e12d4fe 100644 (file)
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -235,6 +235,7 @@ static ngx_conf_bitmask_t  ngx_http_proxy_ssl_protocols[] = {
      { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
      { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
      { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
      { ngx_null_string, 0 }
  };
  
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c

index 2771ac1f68c7d2f33f50ab11aae0901deea5a8a5..b466e5d9601992b3a3feb6936cea99b4430880ab 100644 (file)
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -57,6 +57,7 @@ static ngx_conf_bitmask_t  ngx_http_ssl_protocols[] = {
      { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
      { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
      { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
      { ngx_null_string, 0 }
  };
  
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c

index b7e7c1212a1ca67b317b0ae7c528387874bf51fd..26443bb4bc1dbdd4aaaeb78866956a02084d72f7 100644 (file)
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -129,6 +129,7 @@ static ngx_conf_bitmask_t  ngx_http_uwsgi_ssl_protocols[] = {
      { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
      { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
      { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
      { ngx_null_string, 0 }
  };
  
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c

index fbc9bc74b12eb6de4423556dcd0374640fe24ed7..aebd179d0cca2bbcc9366a2d8576907be10ad39a 100644 (file)
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -42,6 +42,7 @@ static ngx_conf_bitmask_t  ngx_mail_ssl_protocols[] = {
      { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
      { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
      { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
      { ngx_null_string, 0 }
  };
  
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c

index 81a0891dea5030ba45a80e91925b19d8e0cc5ed1..fe52cb6c1e08cf3cd72c3ab8d156f9c894e12a58 100644 (file)
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -103,6 +103,7 @@ static ngx_conf_bitmask_t  ngx_stream_proxy_ssl_protocols[] = {
      { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
      { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
      { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
      { ngx_null_string, 0 }
  };
  
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c

index 2f242b666c02399631c8c98e9fce8d432d960f42..593776b1fd9b535c6f2e65c25416ab6cda85ad03 100644 (file)
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -45,6 +45,7 @@ static ngx_conf_bitmask_t  ngx_stream_ssl_protocols[] = {
      { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
      { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
      { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
      { ngx_null_string, 0 }
  };
author	Sergey Kandaurov <pluknet@nginx.com>
	Tue, 18 Apr 2017 12:12:38 +0000 (15:12 +0300)
committer	Sergey Kandaurov <pluknet@nginx.com>
	Tue, 18 Apr 2017 12:12:38 +0000 (15:12 +0300)
src/event/ngx_event_openssl.c		patch \| blob \| history
src/event/ngx_event_openssl.h		patch \| blob \| history
src/http/modules/ngx_http_proxy_module.c		patch \| blob \| history
src/http/modules/ngx_http_ssl_module.c		patch \| blob \| history
src/http/modules/ngx_http_uwsgi_module.c		patch \| blob \| history
src/mail/ngx_mail_ssl_module.c		patch \| blob \| history
src/stream/ngx_stream_proxy_module.c		patch \| blob \| history
src/stream/ngx_stream_ssl_module.c		patch \| blob \| history