# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1540321908 -10800
# Node ID ed8738b1c7c491fcce2537edb765feaa921ad1fd
# Parent  8b68d50090e4f134a35da60146fefd5e63770759
SSL: explicitly set maximum version (ticket #1654).

With maximum version explicitly set, TLSv1.3 will not be unexpectedly
enabled if nginx compiled with OpenSSL 1.1.0 (without TLSv1.3 support)
will be run with OpenSSL 1.1.1 (with TLSv1.3 support).

diff -r 8b68d50090e4 -r ed8738b1c7c4 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Oct 03 14:08:51 2018 +0300
+++ b/src/event/ngx_event_openssl.c	Tue Oct 23 22:11:48 2018 +0300
@@ -345,6 +345,11 @@
     }
 #endif
 
+#ifdef SSL_CTX_set_min_proto_version
+    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+#endif
+
 #ifdef TLS1_3_VERSION
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);