security: bump minimum tls version for openssl to TLS 1.3 (#1405)

braindigitalis · web-flow · commit dfc6362134a4 · 2025-03-27T22:46:44.000Z
diff --git a/src/dpp/ssl_context.cpp b/src/dpp/ssl_context.cpp
@@ -73,10 +73,10 @@ wrapped_ssl_ctx* generate_ssl_context(uint16_t port, const std::string &private_
 	}
 
 	/* This sets the allowed SSL/TLS versions for the connection.
-	 * Do not allow SSL 3.0, TLS 1.0 or 1.1
+	 * Do not allow SSL 3.0, TLS < 1.3
 	 * https://www.packetlabs.net/posts/tls-1-1-no-longer-secure/
 	 */
-	if (!SSL_CTX_set_min_proto_version(context->context, TLS1_2_VERSION)) {
+	if (!SSL_CTX_set_min_proto_version(context->context, TLS1_3_VERSION)) {
 		throw dpp::connection_exception(err_ssl_version, "Failed to set minimum SSL version!");
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -73,10 +73,10 @@ wrapped_ssl_ctx* generate_ssl_context(uint16_t port, const std::string &private_`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`/* This sets the allowed SSL/TLS versions for the connection.`
`76`		`- * Do not allow SSL 3.0, TLS 1.0 or 1.1`
	`76`	`+ * Do not allow SSL 3.0, TLS < 1.3`
`77`	`77`	`* https://www.packetlabs.net/posts/tls-1-1-no-longer-secure/`
`78`	`78`	`*/`
`79`		`- if (!SSL_CTX_set_min_proto_version(context->context, TLS1_2_VERSION)) {`
	`79`	`+ if (!SSL_CTX_set_min_proto_version(context->context, TLS1_3_VERSION)) {`
`80`	`80`	`throw dpp::connection_exception(err_ssl_version, "Failed to set minimum SSL version!");`
`81`	`81`	`}`
`82`	`82`