This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit a356cc938a5a2a8eb20e40a754a425a990bdd042 Author: Masakazu Kitajo <[email protected]> AuthorDate: Mon Nov 4 16:32:45 2024 -0700 Enable TLS 1.0 and 1.1 internally (#11837) BoringSSL bumped the default minimum TLS to 1.2. ATS is affected by this change because it expects that TLS 1.0 and 1.1 are enabled by default. https://boringssl.googlesource.com/boringssl/+/e95b0cad901abd49755d2a2a2f1f6c3e87d12b94 Although this change enables the old versions internally, the default ATS setting disables those. Only users who enable the old versions and use newer BoringSSL are affected. (cherry picked from commit 191ba946e7d3cefe1253bd0e983eb2a78b3f424e) --- src/iocore/net/SSLUtils.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc index a3cff533f8..82928f2e58 100644 --- a/src/iocore/net/SSLUtils.cc +++ b/src/iocore/net/SSLUtils.cc @@ -1254,6 +1254,7 @@ SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS Dbg(dbg_ctl_ssl_load, "Creating new context %p cert_count=%ld initial: %s", ctx, cert_names_list.size(), cert_names_list[0].c_str()); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); SSL_CTX_set_options(ctx, _params->ssl_ctx_options); if (_params->server_tls_ver_min >= 0 || _params->server_tls_ver_max >= 0) {
