Explicit disable TLSv1.3 in the OpenSSL options if not supported (#13066

) Motivation: If TLSv1.3 is not supported we should set SSL_OP_NO_TLSv1_3 explicit to ensure we never "advertise" it. Modifications: Set SSL_OP_NO_TLSv1_3 if TLSv1.3 is not supported Result: Fixes #12968
netty · Dec 21, 2022 · cc25510 · cc25510
1 parent c7031a3
commit cc25510
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/handler/src/main/java/io/netty5/handler/ssl/ReferenceCountedOpenSslContext.java b/handler/src/main/java/io/netty5/handler/ssl/ReferenceCountedOpenSslContext.java
@@ -346,6 +346,12 @@ public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListene
                         | SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_NO_TLSv1_2;
             }
 
+            if (!tlsv13Supported) {
+                // Explicit disable TLSv1.3
+                // See https://github.com/netty/netty/issues/12968
+                options |= SSL.SSL_OP_NO_TLSv1_3;
+            }
+
             SSLContext.setOptions(ctx, options);
 
             // We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between