This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 191ba946e7 Enable TLS 1.0 and 1.1 internally (#11837)
191ba946e7 is described below
commit 191ba946e7d3cefe1253bd0e983eb2a78b3f424e
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Mon Nov 4 16:32:45 2024 -0700
Enable TLS 1.0 and 1.1 internally (#11837)
BoringSSL bumped the default minimum TLS to 1.2. ATS is affected by this
change because it expects that TLS 1.0 and 1.1 are enabled by default.
https://boringssl.googlesource.com/boringssl/+/e95b0cad901abd49755d2a2a2f1f6c3e87d12b94
Although this change enables the old versions internally, the default ATS
setting disables those.
Only users who enable the old versions and use newer BoringSSL are affected.
---
src/iocore/net/SSLUtils.cc | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index b519a0778f..b3f932d32d 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -1231,6 +1231,7 @@
SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
Dbg(dbg_ctl_ssl_load, "Creating new context %p cert_count=%ld initial:
%s", ctx, cert_names_list.size(),
cert_names_list[0].c_str());
+ SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
SSL_CTX_set_options(ctx, _params->ssl_ctx_options);
if (_params->server_tls_ver_min >= 0 || _params->server_tls_ver_max >= 0) {
