[mod_openssl] default to set MinProtocol TLSv1.2

(behavior change) TLSv1.0 and TLSv1.1 are deprecated and no longer supported by major browsers. MinProtocol is configurable, if required: e.g. ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.1") x-ref: https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html
3 years ago · 8a1ddce0c2
parent 8422fa4573
commit 8a1ddce0c2
1 changed files with 9 additions and 0 deletions
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -2435,6 +2435,15 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
       #endif
      #endif

+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
+       || defined(BORINGSSL_API_VERSION) \
+       || defined(LIBRESSL_VERSION_NUMBER) \
+       || defined(WOLFSSL_VERSION)
+        if (!s->ssl_use_sslv3 && !s->ssl_use_sslv2
+            && !SSL_CTX_set_min_proto_version(s->ssl_ctx, TLS1_2_VERSION))
+            return -1;
+      #endif
+
        if (s->ssl_conf_cmd && s->ssl_conf_cmd->used) {
            if (0 != network_openssl_ssl_conf_cmd(srv, s)) return -1;
        }