Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: enabled TLSv1.3 with BoringSSL.

Maxim Dounin
December 04, 2018 08:38AM
details: https://hg.nginx.org/nginx/rev/b3a4f6d23e82
branches: stable-1.14
changeset: 7420:b3a4f6d23e82
user: Maxim Dounin <mdounin@mdounin.ru>
date: Tue Aug 07 02:15:28 2018 +0300
description:
SSL: enabled TLSv1.3 with BoringSSL.

BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3. This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set. This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3. This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0. This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.

diffstat:

src/event/ngx_event_openssl.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)

diffs (15 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -330,6 +330,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
}
#endif

+#ifdef TLS1_3_VERSION
+ SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+ SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
+#endif
+
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
#endif
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: enabled TLSv1.3 with BoringSSL.

Maxim Dounin 55 December 04, 2018 08:38AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 98
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready