Skip to content
Permalink
Browse files

tls: re-define max supported version as 1.2

Several secureProtocol strings allow any supported TLS version as the
maximum, but our maximum supported protocol version is TLSv1.2 even if
someone configures a build against an OpenSSL that supports TLSv1.3.

Fixes: #24658

PR-URL: #25024
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  • Loading branch information...
sam-github authored and BethGriggs committed Nov 28, 2018
1 parent 56c6686 commit 77cf877ea2b36436d6ad93558fa4fc966f306465
Showing with 6 additions and 0 deletions.
  1. +6 −0 src/node_crypto.cc
@@ -484,6 +484,12 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
SSL_SESS_CACHE_NO_AUTO_CLEAR);

SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);

if (max_version == 0) {
// Selecting some secureProtocol methods allows the TLS version to be "any
// supported", but we don't support TLSv1.3, even if OpenSSL does.
max_version = TLS1_2_VERSION;
}
SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
// exposed in the public API. To retain compatibility, install a callback

0 comments on commit 77cf877

Please sign in to comment.
You can’t perform that action at this time.