git.kaiwu.me - nginx.git/commit

]> git.kaiwu.me - nginx.git/commit

projects / nginx.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: b157288) | patch

author	Maxim Dounin <mdounin@mdounin.ru>
	Mon, 6 Aug 2018 23:15:28 +0000 (02:15 +0300)
committer	Maxim Dounin <mdounin@mdounin.ru>
	Mon, 6 Aug 2018 23:15:28 +0000 (02:15 +0300)
commit	b0f29fab4cfb3fc884ff9f2e7581ee1108bf6db7
tree	2c9cf31b202a9b4185a7c74581ac981ee5409576	tree \| snapshot
parent	b157288e71d836872022bc111da4fae8e8b74974	commit \| diff

SSL: enabled TLSv1.3 with BoringSSL.

BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3.  This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3.  This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0.  This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.

src/event/ngx_event_openssl.c

diff | blob | history

nginx upstream