Skip to content

Commit

Permalink
tls: re-define max supported version as 1.2
Browse files Browse the repository at this point in the history
Several secureProtocol strings allow any supported TLS version as the
maximum, but our maximum supported protocol version is TLSv1.2 even if
someone configures a build against an OpenSSL that supports TLSv1.3.

Fixes: #24658

PR-URL: #25024
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  • Loading branch information
sam-github authored and BethGriggs committed Feb 12, 2019
1 parent 56c6686 commit 77cf877
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,12 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
SSL_SESS_CACHE_NO_AUTO_CLEAR);

SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);

if (max_version == 0) {
// Selecting some secureProtocol methods allows the TLS version to be "any
// supported", but we don't support TLSv1.3, even if OpenSSL does.
max_version = TLS1_2_VERSION;
}
SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
// exposed in the public API. To retain compatibility, install a callback
Expand Down

0 comments on commit 77cf877

Please sign in to comment.