Browse Source

[mod_openssl] default to set MinProtocol TLSv1.2

(behavior change)

TLSv1.0 and TLSv1.1 are deprecated and no longer supported by major
browsers.

MinProtocol is configurable, if required:
e.g. ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.1")

x-ref:
  https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html
personal/stbuehler/ci-build
Glenn Strauss 1 year ago
parent
commit
8a1ddce0c2
  1. 9
      src/mod_openssl.c

9
src/mod_openssl.c

@ -2435,6 +2435,15 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
#endif
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
|| defined(BORINGSSL_API_VERSION) \
|| defined(LIBRESSL_VERSION_NUMBER) \
|| defined(WOLFSSL_VERSION)
if (!s->ssl_use_sslv3 && !s->ssl_use_sslv2
&& !SSL_CTX_set_min_proto_version(s->ssl_ctx, TLS1_2_VERSION))
return -1;
#endif
if (s->ssl_conf_cmd && s->ssl_conf_cmd->used) {
if (0 != network_openssl_ssl_conf_cmd(srv, s)) return -1;
}

Loading…
Cancel
Save