CERBERUS/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-13 17:46:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
The official NGINX Open Source repository. https://nginx.org/
6374 commits 23 branches 587 tags 85 MiB
Find a file
Maxim Dounin b0f29fab4c SSL: enabled TLSv1.3 with BoringSSL. 
BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3.  This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3.  This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0.  This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.
2018-08-07 02:15:28 +03:00
auto Configure: restored "no-threads" in OpenSSL builds. 2018-03-22 15:56:07 +03:00
conf MIME: added most common OpenDocument types. 2017-10-02 19:07:01 +03:00
contrib Contrib: vim syntax, update core and 3rd party module directives. 2018-03-18 11:11:14 +02:00
docs nginx-1.14.1-RELEASE 2018-11-06 16:52:46 +03:00
misc Updated OpenSSL used for win32 builds. 2018-08-28 15:05:41 +03:00
src SSL: enabled TLSv1.3 with BoringSSL. 2018-08-07 02:15:28 +03:00
.hgtags release-1.14.1 tag 2018-11-06 16:52:46 +03:00