Skip to content

Commit a356cc9

Browse files
maskitcmcfarlen
maskit
authored and
cmcfarlen
committed
Enable TLS 1.0 and 1.1 internally (#11837)
BoringSSL bumped the default minimum TLS to 1.2. ATS is affected by this change because it expects that TLS 1.0 and 1.1 are enabled by default. https://boringssl.googlesource.com/boringssl/+/e95b0cad901abd49755d2a2a2f1f6c3e87d12b94 Although this change enables the old versions internally, the default ATS setting disables those. Only users who enable the old versions and use newer BoringSSL are affected. (cherry picked from commit 191ba94)
1 parent 8f16f2d commit a356cc9

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

src/iocore/net/SSLUtils.cc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1254,6 +1254,7 @@ SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
12541254
Dbg(dbg_ctl_ssl_load, "Creating new context %p cert_count=%ld initial: %s", ctx, cert_names_list.size(),
12551255
cert_names_list[0].c_str());
12561256

1257+
SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
12571258
SSL_CTX_set_options(ctx, _params->ssl_ctx_options);
12581259

12591260
if (_params->server_tls_ver_min >= 0 || _params->server_tls_ver_max >= 0) {

0 commit comments

Comments
 (0)