Mercurial > hg > nginx
changeset 6981:08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 15:12:38 +0300 |
parents | dbb0c854e308 |
children | ac9b1df5b246 |
files | src/event/ngx_event_openssl.c src/event/ngx_event_openssl.h src/http/modules/ngx_http_proxy_module.c src/http/modules/ngx_http_ssl_module.c src/http/modules/ngx_http_uwsgi_module.c src/mail/ngx_mail_ssl_module.c src/stream/ngx_stream_proxy_module.c src/stream/ngx_stream_ssl_module.c |
diffstat | 8 files changed, 13 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/event/ngx_event_openssl.c Tue Apr 18 15:12:38 2017 +0300 @@ -323,6 +323,12 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); } #endif +#ifdef SSL_OP_NO_TLSv1_3 + SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); + if (!(protocols & NGX_SSL_TLSv1_3)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); + } +#endif #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
--- a/src/event/ngx_event_openssl.h Tue Apr 11 16:41:53 2017 +0300 +++ b/src/event/ngx_event_openssl.h Tue Apr 18 15:12:38 2017 +0300 @@ -131,6 +131,7 @@ #define NGX_SSL_TLSv1 0x0008 #define NGX_SSL_TLSv1_1 0x0010 #define NGX_SSL_TLSv1_2 0x0020 +#define NGX_SSL_TLSv1_3 0x0040 #define NGX_SSL_BUFFER 1
--- a/src/http/modules/ngx_http_proxy_module.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Apr 18 15:12:38 2017 +0300 @@ -235,6 +235,7 @@ { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, { ngx_null_string, 0 } };
--- a/src/http/modules/ngx_http_ssl_module.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Tue Apr 18 15:12:38 2017 +0300 @@ -57,6 +57,7 @@ { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, { ngx_null_string, 0 } };
--- a/src/http/modules/ngx_http_uwsgi_module.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Apr 18 15:12:38 2017 +0300 @@ -129,6 +129,7 @@ { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, { ngx_null_string, 0 } };
--- a/src/mail/ngx_mail_ssl_module.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/mail/ngx_mail_ssl_module.c Tue Apr 18 15:12:38 2017 +0300 @@ -42,6 +42,7 @@ { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, { ngx_null_string, 0 } };
--- a/src/stream/ngx_stream_proxy_module.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Tue Apr 18 15:12:38 2017 +0300 @@ -103,6 +103,7 @@ { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, { ngx_null_string, 0 } };
--- a/src/stream/ngx_stream_ssl_module.c Tue Apr 11 16:41:53 2017 +0300 +++ b/src/stream/ngx_stream_ssl_module.c Tue Apr 18 15:12:38 2017 +0300 @@ -45,6 +45,7 @@ { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, { ngx_null_string, 0 } };